Ad Law Access : Washington D.C. Advertising Lawyer & Attorney : Kelley Drye & Warren Law Firm : New York, Chicago, Connecticut, New Jersey, Brussels

Earlier this week, the Federal Trade Commission announced an update to its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection (“COPPA”) Rule, which go into effect on July 1, 2013. The updated FAQs clarify parental notice and consent obligations for child-directed apps that collect information from a child in order to send push notifications to users. The new question (No. 80) and answer read as follows:

80. I have a child-directed app and want to send push notifications. Do I need to get parental consent?

• The information you collect from the child’s device used to send push notifications is online contact information – it permits you to contact the user outside the confines of your app – and is therefore personal information under the Rule. To the extent the child has specifically requested push notifications, however, you may be able to rely on the “multiple-contact” exception to verifiable parental consent, for which you must also collect a parent’s online contact information and provide parents with direct notice of your information practices and an opportunity to opt-out. See FAQ 58. Importantly, in order to fit within this exception, your push notifications must be reasonably related to the content of your app. If you want to combine this online contact information with other personal information collected from the child, you cannot rely on this exception and must provide parents with direct notice and obtain verifiable parental consent prior to sending push notifications to the child.

The FTC’s latest update to the COPPA FAQs follows other recent efforts to educate operators of websites and online services directed to children about their obligations under the amended Rule. As we described last week, the FTC recently sent letters to more than 90 U.S. and foreign-based companies to highlight the significant Rule changes relating to the definition of “personal information.”
 

• Email This
• Print
• Share Link

The Network Advertising Initiative (“NAI”) recently announced final updates to its 2013 Code of Conduct (“NAI Code”). The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies. While prior versions of the NAI Code were focused on advertising networks, the 2013 NAI Code keeps pace with developments in the online advertising ecosystem and also governs the actions of participating demand side platforms (“DSPs”), supply side platforms (“SSPs”), and ad exchanges, among others.

The 2013 NAI Code reinforces the requirements for participants to provide education, notice, and choice regarding OBA, stating that industry’s approach must not remain stagnant, but rather adapt to ensure that the self-regulatory framework remains relevant and effective. It was also updated to reflect regulatory guidance including the FTC Final Privacy Report and White House Privacy Report. Additionally, the 2013 NAI Code harmonizes requirements with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising. [The NAI is one of the members of the DAA.]

The 2013 NAI Code introduces a new framework of data “identifiability” that splits the difference between the FTC and industry’s definitions of what is PII:

• PII = Used or intended to be used to identify an individual
• Non-PII = Linked or reasonably linkable to a specific computer or device
• De-Identified Data = Not linked or reasonably linkable to either an individual or a specific computer or device

The online advertising industry continues to face scrutiny from regulators and Congress regarding its approach to OBA, with a specific focus on a Do Not Track standard. Companies engaged in any OBA, interest-based advertising, or online remarketing / retargeting activities should stay tuned as the self-regulatory and regulatory framework continues to evolve.

• Email This
• Print
• Share Link

On May 15, 2013, the Federal Trade Commission sent letters to more than 90 U.S. and foreign-based companies that may be affected by amendments to the Children’s Online Privacy Protection Rule (“COPPA” or the “Rule”), which go into effect on July 1, 2013. The letters, which do not reflect an official evaluation of the recipients’ privacy practices, were targeted to online services and mobile applications that collect “personal information” from children under age 13, as defined by the Rule.

The primary purpose of the letters was to highlight the significant changes to the COPPA Rule definition of personal information, which, under the current Rule, includes user names, a home or physical address, contact information (e-mail address or telephone number), and social security numbers. As described in the letters, the amended Rule expands the definition of personal information to include persistent identifiers, such as cookies, IP addresses, and mobile device IDs, that can recognize users over time and across different websites or online services. Online operators that collect such information must provide notice and obtain parental consent, unless they use the identifiers to support internal operations, such as for user authentication or network analysis. Under the revised Rule, personal information also includes photographs or video with a child’s image, or an audio file with a child’s voice.

In addition to describing changes to the definition of personal information, the letters also highlighted the following “musts” for developers of child-directed online or mobile apps:

• Notice and parental consent for personal information collected on applications from third parties, such as ad networks;
• Reasonable steps to release children’s personal information only to companies that will keep it secure and confidential;
• New data retention and deletion requirements.

The letters are the latest step by the Commission to generate awareness about how the COPPA Rule changes may affect online operators’ current business practices. As we described last month, FTC Staff also issued an updated Frequently Asked Questions (“FAQ”) document, Complying with COPPA: Frequently Asked Questions, that includes a number of questions (and answers) that directly address how the amended COPPA Rule differs from the current Rule.
 

• Email This
• Print
• Share Link

On Thursday, May 9, Rep. Hank Johnson (D-GA), and co-sponsor Rep. Steve Chabot (R-OH) introduced the “Application Privacy, Protection, and Security (APPS) Act of 2013,” (H.R. 1913). The bill, which is aimed at increasing consumer privacy within applications (“apps”) available through smartphones and other mobile devices, retains the provisions included in the discussion draft of the legislation circulated by Rep. Johnson in January 2013.

Among its key provisions, the APPS Act would require app developers to make a privacy statement available to consumers before they purchase an app, obtain consent from consumers before collecting data, and securely maintain the data that they collect. A developer’s privacy statement would have to disclose the categories of personal information collected by the app, and how such information is used, including whether it is shared with any third parties. App developers also would be required to include within their privacy statement a data retention policy that describes how long information is retained, and how consumers can access and seek the removal of such information. Under the bill, the Federal Trade Commission would be tasked with drafting regulations to implement the law, including defining the term “personal data,” as well as enforcing such regulations.

The APPS Act is the product of Rep. Johnson’s AppRights initiative, which is a web-based legislative project launched in July 2012 to address the privacy and security of mobile device users, and follows other recent federal and state efforts to enhance privacy protections for mobile app users. For example, we posted last week about the latest developments regarding the California Attorney General’s efforts to require all app developers to include a privacy policy in their mobile app.
 

• Email This
• Print
• Share Link

In December 2012, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”) alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  It was the first mobile app enforcement action brought by the California Attorney General and closely followed the Attorney General’s warning campaign in which it sent out letters to approximately 100 app developers and companies notifying them that they were not in compliance with California’s law.  Our previous coverage of the complaint is here.

Yesterday, the California Superior Court dismissed the claim, holding that the state action is pre-empted by the federal Airline Deregulation Act, which prohibits states from applying regulations on airlines related to price, routes, or services.  Judge Miller stated: “In this instances it’s services. . . . I think that this case is, in effect, an attempt to apply a state law designed to prevent unfair competition, which regulates an airline’s communications with consumers, and I think it’s pre-empted.”  Press coverage is available here.

This is an interesting result for the first Attorney General app enforcement action and it’s too soon to tell whether the Attorney General will appeal the decision.  Unfortunately, the ruling doesn’t provide any substantive guidance, or give much comfort, to companies that can’t make similar federal pre-emption arguments.  Companies with mobile apps will want to keep their seatbacks and tray tables in their upright and locked positions as we watch for the Attorney General’s next activities in the mobile privacy space.

• Email This
• Print
• Share Link

Today, the Federal Trade Commission (“FTC”) announced that it sent letters to 10 data brokers warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”).  A sample letter is available here.  Among other things, the FCRA governs the sale and use of consumer information which may be used to make decisions about consumers’ creditworthiness, eligibility for insurance, or suitability for employment.

As part of  a global privacy sweep conducted by the Global Privacy Enforcement Network (“GPEN”), the FTC conducted test-shopping with 45 data brokers.  Based on the sweep, 10 data brokers indicated a willingness to sell consumer information in a manner that may violate the FCRA.

As we’ve previously noted here and here, the FTC continues to use its authority under FCRA through enforcement actions—which include civil penalties—and warning letters.  Last month, the FTC warned 6 websites that their sharing of consumers’ rental history information with landlords may be subject to the FCRA.

While the warning letters are not a formal complaint alleging FCRA violations, they are an important reminder for all companies that sell consumer information to closely examine whether these practices fall under the FCRA and, if so, to ensure proper compliance.

• Email This
• Print
• Share Link

On April 25, 2013, the Federal Trade Commission issued an updated version of its frequently asked questions (“FAQs”) document to assist online operators as they prepare for changes to the Children’s Online Privacy Protection Rule (“COPPA”) that go into effect on July 1, 2013. COPPA requires commercial websites and online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 to obtain verifiable parental consent before collecting personal information from such children.

The FAQ document, Complying with COPPA: Frequently Asked Questions, was developed by FTC Staff and describes how operators can comply with the various COPPA Rule amendments announced on December 19, 2012. The amendments, which are the first revisions to COPPA since it became effective in 2000, significantly modify or expand key definitions within the Rule, including the definitions of “operator,” “personal information,” and “website or online service directed to children,” and update COPPA’s requirements concerning parental notice and consent, and the existing safe harbor provisions. The updated FAQs include a number of questions (and answers) that directly address how the amended Rule differs from the original Rule, including the following:

• What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?
• Other than the changes to the definition of personal information, in what ways is the new Rule different?
• Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation?

FTC Staff announced the updated FAQs two days after online industry and business organizations, including the Direct Marketing Association (“DMA”) and the U.S. Chamber of Commerce, sent a letter to the FTC seeking an extension of the effective date for the COPPA Rule amendments, from July 1, 2013 to January 1, 2014. The letter cited the lack of an updated FAQs document as one key reason for requesting the extension.
 

• Email This
• Print
• Share Link

Virginia has passed legislation to prohibit the disclosure of employees’ "personal identifying information" (PII). Effective July 1, 2013, the new law makes it unlawful for an employer to release to a third party any current or former employee’s PII, defined in the following limited way: "home or mobile telephone numbers, email address, shift times, or work schedule." The bill provides for certain enumerated exceptions, including when the PII release is required by federal or state law, court order, warrant issued by a judicial officer, or “a subpoena issued in a pending civil or criminal case, or by discovery in a civil case.”

The new law may affect whether and under what circumstances companies with current and former employees in Virginia respond to law enforcement and other request for employee information.

Written by Alysa Z. Hutnik and Sherrie Schiavetti
 

• Email This
• Print
• Share Link

The use of mobile apps for health purposes has created new questions for users, developers, and regulators regarding the balance between convenience, expanded health care, and public safety. The line between apps that are useful tools for accessing health information and those that are considered medical devices can be unclear but is very important for developers and marketers of these products.

On April 24, 2013, associate Kristi L. Wolff will present a Thompson Interactive webinar, “There's an App for That: Regulating Mobile Medical Devices” regarding these issues. Ms. Wolff will discuss the regulatory status surrounding health-related and medical device mobile applications, or MMAs. The presentation will cover topics including FTC’s enforcement and recent statements regarding health-related mobile applications, design considerations key to application development, such as privacy, and FDA’s position regarding MMAs as explained in the draft guidance, the recent Congressional hearings on the issue. Participants will also have the chance to ask questions during the live Q&A portion of the webinar.

To register, please click here.

• Email This
• Print
• Share Link

Last week, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 624), introduced on February 13, 2013 by House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD). Passage of the bill occurred shortly after the White House threatened to veto CISPA in its current form, and has incited fierce opposition from several privacy and digital rights groups that have rallied – with limited success – for an Internet blackout today. The House had passed similar legislation (H.R. 3523) in the 112th Congress on April 26, 2012, in a measure that was not taken up by the Senate.

• Email This
• Print
• Share Link

The FTC’s first litigated data security action alleging that a company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act based on its data security practices continues, but now in a different jurisdiction. The complaint was originally filed in the U.S. District Court in Arizona. The Arizona Federal District Court’s March 25 ruling granted the defendants’—Wyndham Worldwide Corporation and three of its subsidiaries—motion to change venue. The matter will now be heard in the District of New Jersey.

• Email This
• Print
• Share Link

In a first of its kind suit, on March 7, 2013, the sports-apparel retailer Genesco filed a lawsuit against Visa for recovery of fines that Visa issued against Genesco after it suffered a data breach. Generally, merchants are contractually required to be compliant with the payment card industry data security standard (PCI DSS) as well as the payment card brands’ specific operating rules and regulations in order to accept each brand’s payment cards.  In the event of a data breach, a payment card brand may seek to recover funds for the incremental fraud incurred by the payment card brand, operational expenses (to cover costs such as card replacement), and fines for non-compliance with the PCI DSS.

After it suffered a packet sniffer data breach in 2010, Visa assessed Genesco a total of $13.3 million in fines. In its complaint, Genesco alleges that it was never out of compliance with the PCI DSS and, thus, should not be liable for the fines.

Given the prevalence of data breaches--and especially the high costs incurred by merchants when responding to, and cleaning up the aftermath from, a breach involving payment card information--merchants should pay close attention to this case. If Genesco ultimately prevails, the case could challenge the underpinnings of the payment card brands’ contracting and enforcement mechanisms.

• Email This
• Print
• Share Link

Consistent with the FTC’s laser focus on mobile privacy, the Commission today announced its latest privacy law enforcement action – this time against a mobile device manufacturer. Today’s announcement, with HTC America, involves the FTC’s charges that the device manufacturer did not sufficiently secure the software that it developed for its smartphones and tablet computers, and did not accurately describe its data handling practices to device users. The FTC’s allegations underscore the Commission’s view that companies are required under Section 5 of the FTC Act to (1) implement a number of specific privacy-by-design steps to products capable of collecting, accessing, and transmitting personal information, and (2) carefully confirm that any representations they make about a product and how personal information is handled – including statements in a product’s user guide and representations made on the interface of a software application – remain consistent with the product’s capabilities.

The case is a good example of how quickly and aggressively privacy law and enforcement are evolving, and how important it is to be cognizant of such legal trends and how they affect a company’s privacy responsibilities in product design and development. The failure to incorporate such considerations from “the ground up” and as part of a company’s culture, training, and oversight – as evidenced by the FTC’s steady enforcement on such issues – can, as evidenced by this action and others, lead to 20-year regulatory consent orders and/or expensive litigation.

This Kelley Drye client advisory outlines the FTC’s most recent “privacy by design” law enforcement action, and identifies several practical tips to keep in mind for companies that design and market products capable of collecting, storing, or disclosing personal information.

• Email This
• Print
• Share Link

On February 27, I will be speaking at the Strata Conference – Making Data Work, in Santa Clara, Calif. My presentation will outline best practices and learning lessons to describe how companies, no matter where they reside in the online ecosystem, can avoid big privacy “don’ts” when collecting, storing, or sharing consumers’ personal data. I’ll describe key privacy-related developments led by state and federal regulators and break down how these events are likely to inform consumer privacy activities with respect to big data for the remainder of 2013.

For a preview of the session, read my post on the Strata blog, “Privacy in the Online Ecosystem: Obligations and Best Practices Are Evolving.”

• Email This
• Print
• Share Link

The Department of Health and Human Services (“HHS”) issued a final rule to update its regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In the final rule, HHS clarifies that data transmission organizations, such as Internet Service Providers (“ISPs”), that do not require access to protected health information (“PHI”) on a routine basis are not “business associates” under HIPAA.

As a result, ISPs that provide data transmission services to hospitals, doctor’s offices, and other “covered entities” under HIPAA can provide these services without adjusting their business operations to comply with HIPAA’s requirements or attempting to treat PHI differently from other data transmitted on the ISPs' networks. These entities are mere conduits for the transportation of PHI.

However, the final rule also clarifies that ISPs or other data transmission organizations that manage the exchange of protected health information through a network have more than random access to PHI.  Examples of these management services include record locator services or oversight and governance functions. As a result, these entities are still considered business associates under HIPAA.

• Email This
• Print
• Share Link

On February 7, 2013, the Network Advertising Initiative (“NAI”) released its 2012 Annual Compliance Report addressing member organizations’ adherence to the NAI Code. The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies (such as advertising networks).

The 2012 Compliance Report indicates that the NAI and its members:

• Educate consumers about OBA and their choices
  
• Provide notice about each member’s OBA practices on the member’s site and on the sites where data is collected for OBA purposes
  
• Disclose the collection of health-related information
  
• Maintain opt-out mechanisms so users can elect not to receive OBA
  
• Require opt-in consent mechanisms for the use of sensitive consumer information
  
• Deliver OBA without the use of individuals’ personally identifiable information (“PII”)
  
• Do not specifically target OBA to children under age 13
  
• Use collected data only for marketing purposes
  
• Implement standards and restrictions on data retention, security, and transfer

The NAI also indicated that it will develop guidelines on the collection and use of data on mobile devices and use of mobile tracking technologies.

Online behavioral advertising continues to receive attention from regulators such as the Federal Trade Commission. Companies that engage in OBA should continue to ensure that they work with partners that comply with appropriate self-regulatory programs.

• Email This
• Print
• Share Link

On February 1, the FTC issued the staff report Mobile Privacy Disclosures: Building Trust Through Transparency, which provides a series of consumer privacy-focused recommendations for key stakeholders in the mobile app ecosystem, including developers, platform providers, third-party advertising networks, and others. The Report responds to the explosive growth in smartphone use by consumers within the past few years and focuses on best practices to ensure that consumers receive timely and easy-to-understand information about the personal data that apps collect and how that data is used or shared with third parties.

In addition to releasing the staff report, the Commission announced two other items that reflect the Commission’s current focus on mobile app privacy. First, the FTC introduced a new business guide that complements the privacy disclosure report with a set of data security best practices tailored to mobile app developers. Second, the FTC announced a settlement with social networking app developer Path, Inc. over charges that it deceived users about its data collection practices and violated the Children’s Online Privacy Protection Act (“COPPA”) Rule by collecting personal information from children without their parents’ consent.

This Kelley Drye client advisory provides a detailed summary of the FTC’s latest efforts relating to consumer privacy in the mobile app ecosystem.
 

• Email This
• Print
• Share Link

In its February 4, 2013 opinion, the California Supreme Court continues to shape the scope of California’s Song-Beverly Credit Card Act, a consumer protection statute that prohibits the collection of personal identification information (“PII”) from consumers as part of a credit transaction.  In its decision, the Court held that the Song-Beverly Act does not apply to online purchases in which the product is downloaded electronically.

A class action suit alleged that Apple, Inc. violated the Song-Beverly Act by requiring consumers purchasing media downloads through Apple’s iTunes store provide their telephone number and address to complete the credit card purchase.  Apple argued that the Song-Beverly Act does not apply to online transactions and, among other things, imposing its requirements would undermine the prevention of identity theft and fraud.

In a 4-3 decision, the Court ultimately agreed with Apple.  The Court’s rationale for excluding online transactions from the scope of the Song-Beverly Act included:

• When examining whether the Act should be applied to technology that was not envisioned by the legislature when drafting the Act, the plain meaning of the Act’s text is not decisive.
• While the Act was enacted to protect consumer privacy, it was not intended to be without regard to exposing consumers and retailers to undue risk of fraud.  Certain safeguards against fraud available at brick-and-mortar stores are not available to online retailers selling an electronically downloadable product.
• The enactment of the California Online Privacy Protection Act of 2003 clarified that existing law (including the Song-Beverly Act) did not directly regulate the privacy practices of online businesses.

The decision provides some comfort for businesses that operate online stores for the sale of electronically downloadable products—PII can be collected as part of the transaction.  However, the decision expressly excludes online transactions that do not involve electronically downloadable products.  The Court also notes that the California legislature may wish to revisit consumer privacy and fraud prevention in online credit card transactions.  Businesses will want to continue to monitor developments in this space.

For a more detailed look at Song-Beverly Act litigation, see our recent article here.

This post was written by Alysa Z. Hutnik, Keri E. Campbell, and Christopher M. Loeffler.

• Email This
• Print
• Share Link

This week, the FTC announced a settlement with Cbr Systems, Inc., the operator of a leading cord blood bank, over charges that the company failed to protect the security of its customers’ personal information, and that inadequate security measures led to a data breach affecting approximately 300,000 consumers. The FTC claimed that Cbr’s alleged actions and privacy policy claims were deceptive and violated the FTC Act.

FTC’s Complaint Allegations: Cbr offers a service through which consumers can pay to preserve and store a newborn’s umbilical cord blood and tissue that contain stem cells, the use of which researchers are investigating to treat certain diseases and conditions. Cbr’s privacy policy claims that, in all instances, Cbr takes steps to ensure that its customers’ personal information “is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy. . . .”

According to the FTC Complaint, Cbr took unnecessary risks by allowing employees to transport personal data contained on backup tapes, laptops, and other electronic devices in a way that made the information vulnerable to theft. The FTC alleged that such practices contributed to a December 2010 security breach in which unencrypted backup tapes, a Cbr laptop, external hard drive, and thumb drive were stolen from an employee’s personal vehicle. The stolen devices contained personal data, including the names, addresses, contact information, and credit card numbers of nearly 300,000 customers.

Settlement Provisions: In resolving these allegations, the FTC settlement bars Cbr from making material representations about the extent to which the company maintains the privacy and security of consumers’ personal information. The settlement also requires Cbr to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years. Going forward, a violation of the settlement could expose the company to up to $16,000 per violation.

What This Settlement Signals: Not coincidently, the FTC announced the settlement on January 28, National Data Privacy Day. The timing underscore that, in 2013, the FTC will continue to hold companies accountable for the representations that they make to consumers regarding their privacy practices, and for appropriately securing the personal data in their control.
 

• Email This
• Print
• Share Link

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) announced that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”).

In April 2011, Sony announced that it suffered a series of data breaches on the PSN and Sony Online Entertainment affecting up to 101.6 million records. This included customer name, address, email, date of birth, login/password information, online identification, purchase history, billing address, and password security questions. It also included up to 12 million unencrypted credit card numbers.

Under the UK Data Protection Act 1998, a data controller, such as Sony, must comply with the data protection principles so that personal information is:

• Fairly and lawfully processed;
• Processed for limited purposes;
• Adequate, relevant and not excessive;
• Accurate and up to date;
• Not kept for longer than is necessary;
• Processed in line with your rights
• Secure; and
• Not transferred to other countries without adequate protection.

As described in its Monetary Penalty Notice, the ICO can issue a fine up to £500,000 for a “serious contravention” of these data protection principles.

Sony faced U.S. Congressional scrutiny shortly after the 2011 breach. However, Sony representatives declined to testify before the U.S. House Commerce Subcommittee in a hearing on comprehensive federal data security and data breach notification legislation. Also, private class action litigation against Sony arising from the data breach is still pending.

Businesses with a global customer base (online or otherwise) should be mindful of the privacy and data security obligations triggered by collecting personal information from consumers around the world.

• Email This
• Print
• Share Link

Today, the California Attorney General released the report, Privacy on the Go: Recommendations for the Mobile Ecosystem, which offers a series of consumer privacy recommendations for mobile app developers, platform providers, ad networks, and mobile carriers. According to the Attorney General, the recommendations exceed the protections afforded by existing privacy laws in certain instances and are intended to encourage all stakeholders in the mobile app ecosystem “to consider privacy at the outset of the design process.”

The recommendations in the report focus on the concept of “surprise minimization,” which entails minimizing surprises to app users that result from unexpected privacy practices. According to the report, the “obvious ways” that app developers can avoid unpleasant surprises include: (1) only collect personal data that is necessary for the app’s basic functionality; and (2) provide users with a conspicuous, easy to understand privacy policy prior to download. Additional recommendations in the report include the following:

• Developers: Maintain a checklist of all personal data that your app collects; use just-in-time “special notices” that will draw users’ attention to unexpected data practices.
• Platform Providers: Make app privacy policies accessible from the app platform prior to download, and implement efforts to educate users on mobile privacy.
• Mobile Ad Networks: Avoid out-of-app ads that modify browser settings or place icons on the mobile desktop; use app-specific or temporary device identifiers rather than interchangeable device-specific identifiers.
• Operating System Developers: Develop global privacy settings that allow users to control the data and device features accessible to apps.
• Mobile Carriers: Educate customers on mobile privacy, including children’s privacy (more information on the carrier recommendations is available here).

The report is the latest effort by the Attorney General to promote mobile app industry compliance with California’s Online Privacy Protection Act. In December, the Attorney General filed a lawsuit against Delta Airlines alleging that Delta violated state privacy laws by failing to post a privacy policy within its FlyDelta mobile app. The lawsuit was the first legal action following the Attorney General's announcement in October 2012 that it sent notices to a number of app operators that their apps failed to comply with state privacy laws. These actions followed agreements reached in early 2012 between the Attorney General’s Office and seven mobile app platform providers, including Facebook, Apple, Google, and Amazon, to improve privacy protections on mobile apps.
 

• Email This
• Print
• Share Link

On December 19, 2012, the FTC issued its long-awaited final amendments to the Children’s Online Privacy Protection Rule (“COPPA”). COPPA requires commercial websites and online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 to obtain verifiable parental consent before collecting personal information from such children. The final revisions significantly modify or expand key definitions within the Rule, including the definitions of “operator,” “personal information,” and “website or online service directed to children,” and update the Rule’s requirements concerning parental notice and consent, and the existing safe harbor provisions. These changes both broaden the scope of online entities that are subject to COPPA and provide new pathways to compliance for certain child-directed sites. The amendments also include new safeguard requirements, including provisions that involve personal data minimization and disposal obligations. 

The amendments to COPPA, which represent the first revisions to the Rule since it became effective in April 2000, respond to the substantial changes in consumer technology that have occurred during the past decade. Specifically, the revisions are intended to ensure that the Rule continues to provide privacy protections for children who increasingly participate in social networking and interactive gaming, or engage in online activities or applications (“apps”) through a mobile device. Because the FTC is able to levy fines of up to $16,000 per violation for non-compliance with the COPPA Rule, all companies that either collect information from children or operate a website or online service that may be attractive to children should carefully assess their legal obligations under the revised Rule.

For a detailed look at what’s changed in the COPPA Rule, please reference the Kelley Drye client advisory.
 

• Email This
• Print
• Share Link

On December 10, the FTC issued the staff report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade.” The report describes the results of a recent survey by FTC staff that examined the privacy disclosures and practices associated with 400 mobile apps targeted to children. The report follows up on a similar FTC staff report issued in February 2012, which noted that, based on an initial survey of child-focused apps, very few mobile app developers or app stores provide privacy policies, disclosures, or other information that enable parents to determine what data is collected from their children and how that information is used or shared with third parties.

According to the Commission, the latest staff survey reveals that “little or no progress has been made” by the mobile app industry on increasing transparency in the mobile marketplace during the past year. In response, the Commission is urging app developers and app store operators to implement privacy best practices, such as those outlined in the FTC’s March 2012 privacy report. In addition, the report notes that FTC staff has launched multiple non-public investigations to determine whether certain entities in the mobile app ecosystem are violating the Children’s Online Privacy Protection Act (“COPPA”) or engaging in unfair or deceptive practices in violation of Section 5 of the FTC Act.

This Kelley Drye client advisory summarizes key results from the survey and provides recommendations for stakeholders in the mobile app ecosystem in light of the report.

• Email This
• Print
• Share Link

Last week, the FTC hosted the public workshop, “The Big Picture – Comprehensive Online Data Collection,” which focused on the privacy concerns relating to the comprehensive collection of consumer online data by Internet service providers, operating systems, browsers, search engines, and social media. The workshop, which fulfilled an action item contained in the FTC’s March 2012 final privacy report, featured a series of panels with representatives from government, academia, consumer groups, privacy professionals, and the technology industry who discussed the risks and benefits, consumer awareness and perceptions, and the future of online data collection.

According to the Commission, the purpose of the workshop was to identify differences in how existing online technologies collect consumer data, and determine whether these differences should have any bearing on current privacy policy discussions. The FTC and other stakeholders will use the information obtained during the workshop to assess whether certain technologies, such as deep packet inspection (“DPI”), warrant heightened restrictions or enhanced consumer consent requirements.

The topic and timing of the workshop provide clear indicators that consumer online privacy will remain an important area of focus for the Commission in 2013, both in terms of enforcement and potential policy initiatives. Please see the Kelley Drye client advisory for a summary of the key topics discussed during the workshop.

• Email This
• Print
• Share Link

Yesterday, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”), alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  The lawsuit, which was filed in California Superior Court, is the first legal action following the Attorney General’s announcement in October that it sent notices to numerous mobile app operators, including Delta, that their apps did not comply with state privacy laws.  The notices gave the operators 30 days to conspicuously post within their mobile apps a privacy policy that identifies the personal information that the app collects and how the information will be used.

According to the Attorney General’s Complaint (available here), the Fly Delta mobile app, which customers can use for flight check-ins, to view reservations, and to track checked baggage, does not have a privacy policy even though the app collects personal information including the user’s name, gender, date of birth, telephone number, frequent flyer account number, and, in some cases, photographs and geolocation information.  The lawsuit notes that Delta posts an online privacy policy on www.delta.com, but states that the policy is insufficient because it does not refer to the Fly Delta app and is not reasonably accessible to app users.

The lawsuit seeks to enjoin Delta from distributing its app without a privacy policy and impose a penalty of up to $2,500 for each time the Fly Delta app is downloaded without including the required privacy policy.

This latest development follows the agreements reached earlier in the year between the Attorney General’s Office and Facebook, Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion, to improve privacy protections on mobile apps.  The lawsuit against Delta is likely the first of multiple legal actions by the Attorney General against mobile app operators and is a clear signal to companies in the mobile app market that, to avoid a possible enforcement action, they must understand and comply with California privacy laws.

• Email This
• Print
• Share Link

Data breaches caused by hackers or other forces outside the control of a business are a scary, and expensive, proposition for any organization that collects or retains personally identifiable information, or warehouses credit or financial information. According to a recent study by Symantec, an average data breach will cost an organization $5.5 million, including direct costs such as engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions, discounts for future products and services, and indirect costs such as in-house investigations and communication. These costs are in addition to the costs of potential litigation (often in the form of a class action) by customers alleging that the company failed to take adequate measures to protect their data, and investigations by government agencies, such as the Federal Trade Commission, that frequently become involved when breaches affect a large number of consumers.

Like any potentially catastrophic problem, insurance can be at least a partial solution. A new article in The Corporate Counselor examines insurance coverage for data breaches. In-house counsel may be surprised to learn that coverage for data breaches is not limited to specialty policies, and can often be found under standard CGL or property insurance policies. Any time a potential data breach occurs, it is essential for an insured to consider all forms of insurance that it carries and to provide prompt notice to its insurer(s) of any policy that even potentially could apply.

The article, "Insurance Coverage for Data Breach Claims," was written by Richard D. Milone, Edward E. Weiman, and Cameron R. Argetsinger.

• Email This
• Print
• Share Link

Yesterday, the California Attorney General announced that it has started sending notices of non-compliance to numerous mobile app developers, notifying them that their mobile apps were not compliant with California’s Online Privacy Protection Act, Cal. Bus. & Prof. Code §§ 22575-22579. The law requires operators of online sites and services that collect personal information about California residents to post a privacy policy that complies with specified requirements, including for the privacy policy to be posted conspicuously and reasonably accessible. The Attorney General’s letters explained that, to satisfy the law, at a minimum, a link to the app’s privacy policy needed to be conspicuous and “reasonably accessible” to the user within the app. The Attorney General notices are prompting the app developers to make necessary changes within 30 days. The state law provides for penalties of up to $2,500, which the Attorney General notices asserted could apply each time a non-compliant mobile app is downloaded.

This latest development follows the agreements reached earlier in the year between the Attorney General’s Office and Facebook, Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion, to improve privacy protections on mobile apps. The agreement included efforts to provide a way for privacy policies to be posted in a consistent location for apps, for the privacy policy to be reviewed prior to download, and for app users to report apps that do not comply with laws or the applicable terms of service.

A copy of the letter that the California Attorney General’s Office sent to mobile app developers can also be found here.

• Email This
• Print
• Share Link

The Federal Trade Commission (FTC) announced that Compete Inc., a web analytics company, agreed to settle allegations that it engaged in unfair and deceptive practices by collecting personal data without disclosing the extent of the information it was collecting and failing to honor promises it made to protect the personal data it collected.

In its complaint, the FTC alleged that Compete persuaded consumers to download its tracking software by urging them to join a Consumer Input Panel and promising them rewards in exchange for sharing their opinions about products and services. Once installed, the tracking software automatically collected not only information about consumers’ online activity such web pages visited, but also usernames, passwords, search terms, credit card and financial account information, security codes, expiration dates and Social Security numbers. Compete used the consumer data to generate reports that were sold to third parties about improving website traffic and sales.

The FTC alleged that Compete violated Section 5 of the FTC Act by failing to disclose that it would collect more information than just the web pages that consumers visit, and failing to honor its consumer assurances that “all data is stripped of personally identifiable information before it is transmitted to our servers” and “we take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.” With respect to data security, the FTC specifically alleged that Compete failed to provide reasonable and appropriate data security, transmitted sensitive data in an unsecure manner, failed to design and implement reasonable safeguards for consumer data, and failed to use readily available measures to mitigate risk to the data.

Compete’s settlement provides another example of the FTC’s continued enforcement related to tracking consumers’ online activity and data security. Yet, unlike other recent FTC settlements, Compete does not directly use the consumer data it collects to sell its own products and services to consumers. Consumer data is Compete’s product. As such, this settlement should send a signal to those who use data, as well as those who collect and distribute it, that the FTC expects them to be respectful of consumer privacy, provide reasonable and appropriate safeguards for such data, and to do what they say and say what they do when it comes to consumer data.

Under the settlement, Compete is required to:

• Email This
• Print
• Share Link

On October 1, 2012, Washington-based think tank the Future of Privacy Forum (FPF) announced the first privacy seal program for companies processing consumer energy usage data (CEUD) made available through smart meters. The seal will be powered by TRUSTe, a data privacy management company. To create the program, FPF and TRUSTe worked with a number of utilities, utility regulators, and private firms, including AT&T, Comcast, IBM, Motorola, and Verizon. The program will include an advisory committee comprising Edison Electric Institute, the Gridwise Alliance, and consumer advocates.

Given the nascence of grid modernization efforts, the CEUD made available through smart meters does not fall within the scope of existing federal privacy statutes. While a number of states – namely, California and Colorado - are taking an aggressive role in developing privacy policies for smart meter data, many states have not even started to take up the issue. In the absence of comprehensive and consistent state and federal regulation, numerous industry guidelines and best practices have emerged. The FPF’s privacy seal program is a self-regulatory approach that has been hailed by industry members as a “landmark consumer privacy initiative”. It covers two types of CEUD: data collected directly from consumers by smart devices (i.e., smart appliances), and data collected by third parties (i) directly from a smart meter, (ii) provided by the utility, or (c) provided by the consumer. The FPF believes that this program is critical to vet the privacy policies of third parties and to provide assurances to utilities, regulators, and consumers that companies are in compliance with responsible standards. In addition, it will provide consumers with an avenue for complaint resolution and will supplement regulators’ efforts to ensure consumers are protected. Click here for a model short consent form for a hypothetical Smart Water Heater.

Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, applauds the FPF’s new initiative. “The seal is a reflection of Privacy by Design which requires that a proactive approach be taken. FPF recognizes that privacy is best assured when it is strategically interwoven into operational processes and business practices.” This program is the first of likely many self-regulatory programs in the energy context to ensure that participating companies commit to responsible privacy and data security practices.

• Email This
• Print
• Share Link

Beginning October 1, 2012, Connecticut’s data breach notification law will require businesses to notify the Office of the Attorney General of a security breach affecting Connecticut residents.  The current law was repealed and replaced wholesale with the new law, which was neatly tucked away in a Special Session bill implementing the state’s budget for the fiscal year.  (Note:  The language regarding breach notification starts on page 162 of the 468 page bill.)

The new law demonstrates an effort to increase the Attorney General’s visibility into breach events, and will make it easier for the Attorney General to enforce the consumer notice requirements.  Businesses should notify the Attorney General of a security breach using a new email address, ag.breach@ct.gov, no later than when consumers are notified of the breach.

Businesses that operate in Connecticut or collect or store personal information from Connecticut residents should take note of the new law, and ensure that notice is provided to the Office of the Attorney General in a timely manner .  Connecticut is one of 16 states that requires notice to a state agency in the event of a security breach.  A chart that sets out these state requirements is available here.

• Email This
• Print
• Share Link

Sen. Jay Rockefeller (D-WV) is sending letters to CEOs at every Fortune 500 company asking them to identify their cybersecurity practices and efforts to protect critical infrastructure.  Prior efforts to enact cybersecurity legislation during the 112^th Congress have been ineffective, as comprehensive cybersecurity legislation was blocked by a filibuster.  Rockefeller has also urged President Obama to address cybersecurity issues through an Executive Order.

Sen. Rockefeller is requesting the CEOs to respond by October 19, 2012 to 8 questions:

1. Has your company adopted a set of best practices to address its cybersecurity needs?
2. If so, how were these cybersecurity practices developed?
3. Were they developed by the company solely, or were they developed outside the company?  If developed outside the company, please list the institution, association, or entity that developed them?
4. When were these cybersecurity practices developed?  How frequently have they been updated?  Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?
5. Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?
6. What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?
7. What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?
8. What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?

A list of the companies who will receive the letter is available here.  While comprehensive legislation appears unlikely during this session of Congress, cybersecurity remains a top priority for certain legislators.

• Email This
• Print
• Share Link

Yesterday, the FTC published a guide designed to help mobile app developers comply with advertising and privacy laws when marketing mobile apps. The guide doesn’t include new requirements — instead, it synthesizes many of the things the FTC has said about mobile apps in previous settlements, workshops, and policy documents. The guide focuses on two key areas: (1) advertising; and (2) privacy.

Companies are required to ensure their ads are truthful and substantiated. Although some marketers equate the word “ad” with a multi-million dollar TV campaign, the FTC clarifies that an ad can be pretty much anything a company says about what a product can do. Marketers need to ensure they can support these claims. The FTC also discusses the importance of making disclosures in a “clear and conspicuous” manner.

Marketers should think about privacy in the early stages of developing an app. Among other things, the FTC encourages marketers to only collect the information they need, to be transparent about data collection practices, to get consent before collecting sensitive information, and to keep user data secure. In addition, the FTC reminds marketers that they may be subject to the Children’s Online Privacy Protection Act if they collect personal information from children under 13.

The FTC’s guide addresses many of the issues that have gotten app developers in trouble over recent years. Therefore, it provides valuable insights for companies about what they need to do in order to stay out of trouble. Although it may cost more to run an app through a legal review prior to launch, it costs a lot less than having to deal with an FTC investigation later.

For a more detailed analysis of the FTC's guide, click here. And for more tips on developing a mobile app, click here, here, and here. 

• Email This
• Print
• Share Link

On June 26, 2012, the Federal Trade Commission (“FTC”) filed a lawsuit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries (the “Defendants”) alleging that the companies engaged in unfair and deceptive practices and violated Section 5 of the FTC Act by failing to implement adequate data security protections on computer systems located at 90 independently-owned Wyndham-branded hotels with whom the Defendants maintained franchise agreements.

The Complaint, filed in U.S. District Court in Arizona, claims that the Defendants’ failure to implement reasonable data security safeguards at the franchisee locations allowed computer hackers to breach franchisee computer systems and the Wyndham hotel data center on three separate occasions and access the financial account information for more than 600,000 hotel customers. The Complaint also claims that the Defendants’ privacy policy misrepresented the extent to which the company protected consumers personal information. The Complaint seeks injunctive relief to prevent future violations of the FTC Act by the Defendants, as well as monetary relief for the affected hotel customers.

The FTC’s Complaint is significant for two reasons. One, it represents the first time that the FTC will litigate its theory as to whether an entity’s privacy and data security practices were deceptive and unfair under Section 5 of the FTC Act (past FTC cases have resulted in pre-litigation settlements or informal closings of investigations). Two, the lawsuit reflects the FTC’s position on what facts might cause a corporate brand to be held legally responsible under the FTC Act for the privacy and information security practices of a franchisee and affiliated third parties.

• Email This
• Print
• Share Link

Following up on my post on the subject, last week I had the opportunity to speak with Colin O'Keefe of LXBN regarding Spokeo's $800,000 settlement with the FTC. In the brief interview, I explain what Spokeo does, how they allegedly violated the Fair Credit Reporting Act and Section 5 of the FTC Act and what other companies can learn from this settlement. 

• Email This
• Print
• Share Link

The National Telecommunications and Information Administration (NTIA) will convene stakeholders July 12, 2012 in Washington, DC to develop a privacy code of conduct focused on mobile applications. Mobile apps is the first of several planned codes of conduct to improve transparency of how personal data is handled in the commercial sector in areas not currently covered by existing Federal privacy statutes.

The multi-stakeholder meeting is an outcome of the NTIA's March 2012 Request for Comment on consumer data privacy issues "that warrant the development of legally enforceable codes of conduct." The majority of comments received by NTIA addressed concerns about the nature of consumer privacy disclosures in the mobile device environment.

NTIA, a part of the U.S. Department of Commerce, is spearheading an effort to bring stakeholders from business, industry, academia and consumer groups together to develop consensus on the creation of a Consumer Privacy Bill of Rights as recommended in the Obama Administration framework document of February 2012, "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy."

The multi-stakeholder meeting is open to all participants but stakeholders are encouraged to register so that NTIA can plan a meeting space to accommodate participants.

This post was written by Margaret E. Hardon and Alysa Z. Hutnik.

• Email This
• Print
• Share Link

Today, the Federal Trade Commission (FTC) announced that Spokeo, Inc., an information broker that markets and sells detailed consumer data profiles, will pay $800,000 to settle FTC charges that it violated the Fair Credit Reporting Act (FCRA).

In its complaint, the FTC alleged that Spokeo sold consumer profiles compiled from Internet and social networking sites, as well as offline data sources, to employment industry professionals as a tool to screen job applicants.  The FTC alleged that these profiles were “consumer reports” and Spokeo operated as a “consumer reporting agency.” 

The FTC alleged that Spokeo violated FCRA by failing to (1) verify who its users are and whether the consumer reports would be used for a permissible purpose, (2) ensure the accuracy of consumer reports, and (3) inform users of their duty under FCRA to notify consumers if the information in the consumer report served as the basis of the user’s adverse action against the consumer.  The FTC also alleged that Spokeo’s online endorsements were deceptive under Section 5 of the FTC Act, as they were provided by Spokeo’s employees and not customers.  In addition to paying an $800,000 civil penalty, Spokeo agreed to injunctive relief and compliance reporting for 20 years.  

As we’ve discussed, the FTC continues to closely monitor business practices that may involve FCRA.  Companies should note that FCRA applies not only to credit reporting, but also to reports concerning a consumer’s character and reputation to be used as a factor in determining eligibility for employment or other permissible purposes.  Although this is the first FTC case applying FCRA to the sale of Internet and social media data in the employment screening context, it likely will not be the last.

Written with assistance by Jalyce E. Mangum.

• Email This
• Print
• Share Link

The Federal Trade Commission (FTC) recently held a public workshop entitled “In Short: Advertising & Privacy Disclosures in a Digital World” exploring effective advertising and privacy disclosures in social media and on mobile devices. Our full summary of the workshop is covered here. Panelists addressed key challenges in creating effective mobile privacy disclosures, including spatial limitations of small screens, overly technical language, and complex layouts of privacy policies and terms and conditions.

To overcome these challenges, panelists advised that companies consider consumer behavior before creating and implementing mobile privacy disclosures. The following tips, based on the panelists' viewpoints, are designed to help mobile advertisers convey privacy information and disclosures in a consumer-friendly way.

• Be concise. Distill privacy policies down to the elements relevant to the consumer. Layer text by providing a summary of key disclosures on top of a full policy. This practice makes disclosures more accessible. Alternatively, explore shortened formats such as the "short form" privacy policy used by Truste.

• Be consistent. Take into account all elements of the disclosures, including the front-end and back-end layers. Front-end layers include the design, timing, and language of the disclosures. The back-end layers of disclosures should be reflected in the policies consumers read. Review data retention practices to make sure policies accurately reflect whether consumer data is shared, shed, or stored.

• Be clear. With regard to third party data collections, tell consumers when third party data collections take place and what happens to their data once collected. Allow consumers the ability to choose how much of their data is accessed. Further, privacy disclosures should be clear and conspicuous, not coy. Clearly communicating an advertiser's practices is not only good business, it helps build trust with consumers.

• Be considerate. Consider when consumers are most likely to pay attention to privacy disclosures and provide them at the most relevant time. Many mobile applications provide privacy disclosures upon download, when consumers are unfamiliar with the application and may not pay attention. However, consumers may be more likely to pay attention prior to completing a mobile transaction or purchase. Consider how best to convey the information to maximize visibility.

Mobile technology is increasingly integrated into consumers' lives. While some panelists advocated flexible standards to accommodate new technology and consumer uses, others countered that advertising must conform to the legal standards, not vice versa. All agreed that the basic advertising principles of clear communication of material terms apply regardless of format. The FTC welcomes comments on this and related web and mobile disclosure and privacy issues until July 11, 2012.

Written with assistance by Kristi Wolff and Jalyce E. Mangum.

• Email This
• Print
• Share Link

Last week the Federal Trade Commission (FTC) held an information gathering workshop titled “In Short: Advertising and Privacy Disclosures in a Digital World”. The purpose of the workshop was to discuss the need for updated guidance for web and mobile advertisers regarding disclosures and privacy practices. FTC issued the current guidance, known as the “Dot Com Disclosures,” in 2000. Topics discussed included:

“Universal and Cross-Platform Advertising Disclosures”

“Social Media Advertising Disclosures”

“Mobile Advertising Disclosures”

“Usability Research” and “Mobile Privacy Disclosures”

The comment period is open through July 11, 2012. The Commission is targeting this Fall for issuance of updated guidance.

• Email This
• Print
• Share Link

Professor Paul Ohm, Associate Professor at the University of Colorado Law School, will be joining the FTC as a senior policy adviser for consumer protection and competition issues in the Internet and mobile market space this August. Ohm's legal career has focused on information privacy and cyberlaw matters. He is the author of numerous law review articles and essays on computer science, privacy and law, and a frequent contributor to FTC roundtables and discussions on privacy and technology. His article, Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA Law Review 1701 (2010) has been often cited in the debate on privacy standards.

Ohm previously served as a federal prosecutor for the U.S. Department of Justice's Computer Crime and Intellectual Property Section. Before his legal career, Ohm earned undergraduate degrees in computer science and electrical engineering and worked as a programmer, network administrator and IT specialist.

FTC Chairman Jon Leibowitz released a statement on Ohm's appointment: "Paul's keen insights on how the law applies to technology and privacy issues will be invaluable to the FTC's work in these areas. We have been fortunate in bringing in a series [of] top-notch experts to advise us on cutting-edge issues and enhance our in-house expertise. We look forward to having Paul on board."

Additional coverage is available here, here, and here. A full press release is available here.

• Email This
• Print
• Share Link

On May 8, 2012, the Federal Trade Commission (FTC) announced its settlement with social networking service Myspace on charges that it misrepresented its protection of users' personal information in violation of federal law. Like many of its social media counterparts who were recently the target of FTC enforcement actions, Myspace is charged with espousing strict privacy measures and then failing to do as promised.

The Myspace social network comprises millions of users who create and customize online profiles. Myspace assigns a persistent unique identifier, called a "Friend ID," to each profile created. Though users have the ability to upload extensive personal information to their profile, Myspace designates a subset of personal user data as "basic profile information," which include the user's profile picture, Friend ID, location, gender, age, display name, and full name. According to the complaint, this basic profile information is publicly displayed by default and is outside the scope of the privacy settings. The only piece of basic information that users can hide from public view - provided that they change the default setting - is their full name. As of July 2010, only 16% of users had actually changed the default setting to hide their full name.

Under its privacy policy, Myspace promised that it would not share users' personal information or use it in a way that was inconsistent with the purpose for which it was submitted without their consent. In addition, Myspace promised that customized ads would not individually identify users to third parties and would not share non-anonymized browsing activity. According to the complaint, Myspace in fact shared the Friend ID, age, and gender of users with third-party advertisers. Advertisers used the Friend ID to locate the user's Myspace profiles to obtain personal information, including in most instances the user's full name. Advertisers could also combine the user's real name and other personal data with additional information to link broader web-browsing activity to a specific individual. In addition, Myspace certified in its privacy policy that it complied with the U.S.- EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. These statements of compliance were false, according to the FTC.

The proposed settlement order bars Myspace from misrepresenting the extent to which it protects the privacy of users' personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S -EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect users' information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for twenty (20) years. This agreement will be subject to public comment for thirty (30) days through June 8th, after which the FTC will decide whether to make the proposed consent order final. Interested parties are strongly encourage to submit written comments prior to this date.
 

• Email This
• Print
• Share Link

On April 26, 2012, the Federal Trade Commission (FTC) held a public workshop entitled "Paper, Plastic . . . or Mobile?" to examine the use of mobile payments in the marketplace and the impact of emerging technologies on consumers. Three consumer issues surrounding mobile payments were highlighted: (1) the lack of clear consumer redress and dispute resolution processes, (2) data security, and (3) consumer privacy.

A Keley Drye client advisory, "Insights from the FTC's Mobile Payments Workshop: Potential Roadmap for Industry Best Practices," summarizes the FTC's workshop and the discussion on these three issues. For industry participants that are involved in the mobile payments ecosystem – or wish to be – having a clear understanding of these components and emerging best practices makes good business sense, and can help keep a company from becoming an enforcement or litigation target.

• Email This
• Print
• Share Link

It’s not too late to view content from Kelley Drye’s Privacy Law Symposium, which was hosted in Los Angeles on Monday. The program included presentations on privacy enforcement, consumer class action litigation, and insurance recovery in the data privacy context, including:

• Avoiding an FTC Privacy Investigation and What To Do When You Find Yourself the Target of One
• Top Issues in Class Action Lawsuits Arising Out of Privacy, Data Security, and New Media Technology
• Insurance Coverage for Data Privacy Liability – Do You Already Have It, and If Not, Can You Buy It?

Click here to view the webinar recording.
 

• Email This
• Print
• Share Link

On Thursday, March 19, 2012, the United States Senate unanimously confirmed Maureen Ohlhausen as a Commissioner of the Federal Trade Commission (“FTC”). Ms. Ohlhausen is a seasoned attorney who has handled consumer privacy and data security issues in public service and private practice, and her confirmation suggests that the FTC will continue to emphasize these areas of the law.

Ms. Ohlhausen, currently a partner with Wilkinson Barker Knauer LLP, was nominated by President Obama in July 2011 to replace Republican William Kovacic, whose term expired in September 2011. As one of five Commissioners, Ms. Ohlhausen will have a seven-year term.

Ms. Ohlhausen returns to the FTC, where she served for eleven years, including a four-year tenure as Director of the Office of Policy Planning. In this role, Ms. Ohlhausen addressed a variety of high-tech legal and policy issues, including barriers to electronic commerce, and online merchants’ use of consumer data. In addition, she headed up the FTC’s Internet Access Task Force. Previously, Ms. Ohlhausen clerked for current Chief Judge David B. Sentelle of the U.S. Court of Appeals for the D.C. Circuit, and clerked at the U.S. Court of Federal Claims for Judge Robert Yock. Ms. Ohlhausen is a graduate of George Mason University Law School, and received her undergraduate degree from the University of Virginia.

• Email This
• Print
• Share Link

Today the Federal Trade Commission released its much anticipated final Privacy Report, entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The final report calls on companies to implement best practices to protect consumers’ private information (both on- and off-line), Congress to enact baseline privacy and data security legislation with civil penalties, and industry to accelerate the pace of self-regulation. The Report also supports legislation to provide consumers with access to information stored by data brokers and the opportunity to dispute the accuracy of such data.

The final Privacy Report applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” For companies that fall within such scope, the FTC recommends that companies implement the following best practices, and adds that, to the extent such recommended practices go beyond existing law, the privacy framework is not intended to be a template for law enforcement actions or regulations currently enforced by the FTC.

• Email This
• Print
• Share Link

Live in Los Angeles or via webinar, please join Kelley Drye & Warren LLP on April 23 for an afternoon program covering privacy-related trends in enforcement, class action litigation, and insurance recovery. Click here to register for the webinar.

Privacy Law Symposium and Webinar: Enforcement, Litigation and Risk Management

Avoiding an FTC Privacy Investigation and What To Do When You Find Yourself the Target of One
A number of data practices are clearly catching the FTC’s eye. Kelley Drye privacy attorneys Dana B. Rosenfeld and Alysa Z. Hutnik will discuss which business practices are most likely to draw the FTC’s attention, and practical steps that businesses can take to reduce their risk of becoming the next target of an FTC privacy investigation or improve their defenses if businesses are investigated. And for those companies that do find themselves at the center of an investigation, learn key practice pointers that should go into every business’s strategy when determining how best to respond to the investigation.

Top Issues in Class Action Lawsuits Arising Out of Privacy, Data Security, and New Media Technology
California is a hotbed for consumer class action lawsuits, and business practices involving the collection and use of personally identifiable information can often prompt class actions. Kelley Drye litigators Keri E. Campbell and Lauri A. Mazzuchetti will discuss the top issues at play in class action suits involving privacy, information security, mobile applications, and related areas.

Insurance Coverage for Data Privacy Liability - Do You Already Have It, and If Not, Can You Buy It?
Companies suffering data security breaches have had varying degrees of success in their efforts to obtain insurance coverage for their liabilities and costs of defense. Kelley Drye insurance recovery lawyers Edward E. Weiman and Richard D. Milone will provide an overview of the types of insurance coverage potentially available in the data privacy context, focusing on which types of policies might apply, which arguments are likely to prevail to establish coverage, and what practical steps a company should take to maximize its insurance recovery in the event of a data breach.

Date:
Monday, April 23, 12:00 – 3:00 PM Pacific
Lunch begins at noon, with formal program to start at 12:30 PM.

Location:
Kelley Drye & Warren LLP
10100 Santa Monica Blvd.
Twenty-third Floor
Los Angeles, CA 90067
(301) 712-6199

RSVP:

To attend live in LA, email adlaw@kelleydrye.com or contact Cassidy Russell at 202.342.800.

To attend remotely by webinar, click here to register.

• Email This
• Print
• Share Link

If you work with mobile apps, you may already know that privacy is a hot issue. Regulators are pushing companies to improve their privacy practices, Congress is contemplating new laws, and class action lawyers are suing companies that don’t clearly disclose their practices. In the past few weeks, this focus on privacy intensified as the FTC, the California Attorney General, and even the White House weighed in with new announcements.

Two things are clear from this recent burst of activity. First, regulators are putting pressure on everyone in the mobile app ecosystem to improve their practices, so you can’t just assume that it’s your partner’s responsibility to comply. And with the number of regulators focusing on these issues, it’s going to be a lot harder for companies to hide. No matter what role you play in the mobile app ecosystem, you should pay attention to these developments. Gonzalo Mon and John Heitmann summarize what you need to know in a new article published by Mashable, "Mobile Privacy: 5 Legal Concerns for Developers."
 

• Email This
• Print
• Share Link

In the wake of the White House's February 23, 2012 release of Consumer Data Privacy in a Networked World: A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department's National Telecommunications and Information Administration (NTIA) published in today's Federal Register a request for public comments from all interested stakeholders on consumer data privacy issues to be addressed through enforceable voluntary codes of conduct. Comments are due on March 26, 2012.

Although any topic is fair game, NTIA opens the process by signaling that implementation of the Framework's transparency principle in privacy notices for mobile applications is among the agency's highest priorities. Also listed as a specific topic on which NTIA seeks comment are other issues associated with mobile apps, including location based services. Cloud computing, online services directed toward teens and children, trusted identity systems, and the use of multiple technologies such as browser-based cookies to collect personal data also are highlighted as areas for comment.

NTIA also seeks comment on how the multistakeholder process should be conducted so as to best ensure openness, transparency, and consensus building. These comments are the first part of this process aimed at developing voluntary industry codes of conduct that eventually be enforced by the Federal Trade Commission.

• Email This
• Print
• Share Link

On February 23, 2012, the White House released its long-awaited consumer data privacy framework that establishes clear consumer privacy “ground rules” intended to govern how commercial entities collect and use consumers’ personal information in an evolving technological landscape that includes the Internet and other networked technologies.

The framework, entitled Consumer Data Privacy In a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, includes a series of consumer privacy principles that would form the basis for voluntary but enforceable codes of conduct, positions the Federal Trade Commission (“FTC”) as the lead enforcer on consumer privacy issues, and encourages greater international cross-border collaboration. The framework builds on the consumer privacy recommendations issued in December 2010 by the Department of Commerce Internet Policy Task Force.

This Kelley Drye client advisory outlines the four primary elements of the framework and discusses how it aligns with other federal and state initiatives that will have significant implications for businesses that collect consumer personal information online.

• Email This
• Print
• Share Link

On February 16, 2012, Kelley Drye & Warren LLP hosted the seminar and audiocast, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.” The seminar highlighted regulatory and legislative developments in privacy and information security during the past year, with an emphasis on children's online privacy and mobile applications.

Peter Swire, a professor at The Ohio State University Michael E. Moritz College of Law and a Senior Fellow with the Center for American Progress, opened the seminar with a keynote address that gave historical context to the most recent regulatory efforts addressing consumer privacy. Professor Swire’s remarks were followed by two panel sessions that included six experts representing key industry representatives and the federal agencies integral to recent privacy initiatives. The first panel discussed children's online privacy and the Federal Trade Commission’s proposed revisions to the Children's Online Privacy Protection Rule. The second panel discussed various consumer privacy enforcement and regulatory initiatives relating to mobile apps.

For more on the seminar, including a synopsis of key takeaways, see the Kelley Drye client advisory. An audio recording of the full program is also available.

• Email This
• Print
• Share Link

This morning, the FTC issued a report showing the results of a survey of mobile apps for children. These apps can automatically collect a broad range of information, including a user's location, phone number, contacts, call logs, and unique identifiers. However, the report notes that neither the app stores nor app developers provide the information parents need to determine what data is collected from children or how it is shared.

FTC Chairman Jon Leibowitz asked companies to “step up to the plate and provide easily accessible, basic information, so that parents can make informed decisions about the apps their kids use.” Specifically, the report recommends that:

• All members of the "kids app ecosystem" should play an active role in providing key information to parents.
• App developers should provide information about their privacy practices in simple and short disclosures. They also should disclose whether the app connects with social media and whether it contains ads. Third parties that collect data also should disclose their privacy practices.
• App stores also should take responsibility for ensuring parents have basic information. The report notes that the stores provide architecture for sharing pricing and category data, and should be able to provide a way for developers to provide privacy information.

Later this year, the FTC will host a public workshop in connection with its efforts to update the "Dot Com Disclosure" guide about how to provide effective online disclosures. "One of the topics that will be addressed is mobile privacy disclosures, including how they can be short, effective, and accessible to consumers on small screens." We will discuss similar topics in our 4th Annual Privacy Law Seminar this afternoon.

• Email This
• Print
• Share Link

The FTC this week warned marketers of six mobile apps that provide background screening that the companies may be violating the Fair Credit Reporting Act (FCRA). The FTC warned the apps marketers that, if they believe that the background reports (which included criminal record histories) generated by their apps are being used for employment screening, housing, credit, or other similar purposes, they must comply with the FCRA.

Who Got the Warnings: The FTC sent these warning letters to Everify, Inc., marketer of the Police Records app, InfoPay, Inc., marketer of the Criminal Pages app, and Intelligator, Inc., marketer of Background Checks, Criminal Records Search, Investigate and Locate Anyone, and People Search and Investigator apps.

Who Should Pay Attention: The warning letters serve as a reminder that broader enforcement by the FTC of the mobile apps sector is likely to follow if mobile app providers engaged in similar practices do not take steps to comply with the FCRA.

Why: Under the FCRA, businesses that assemble or evaluate information that can be considered a “credit report” and provide it to third parties can qualify as consumer reporting agencies. Many companies are often surprised to learn that the information they assemble and/or evaluate and provide to a third party may be considered a “credit report.”

• Email This
• Print
• Share Link

On January 27, 2012, the Illinois Attorney General released guidance for businesses to prevent, prepare for, and respond to data security breaches. Information Security and Security Breach Notification Guidance reminds businesses and government agencies of their obligation to comply with Illinois law to guard against security breaches and provide notice in the event of an incident. The guidance identifies five (5) key principles for safeguarding information: (1) take stock; (2) scale down; (3) lock it; (4) pitch it; and (5) plan ahead.

The guidance also provides recommendations on how to prepare for a security breach including the creation of an information security program and an incident response plan. In addition, the guidance provides recommended steps for responding to a security breach, a list of requirements under the Illinois Personal Information Protection Act, and practical considerations for security breach notification. Notably, the Illinois statute was amended effective January 2012 to require security breach notifications to include: (1) toll-free numbers and addresses for credit reporting agencies; (2) the toll-free number, address, and website for the Federal Trade Commission; and (3) a statement than an individual can obtain information from these sources about fraud alerts and security freezes.

• Email This
• Print
• Share Link

The way companies collect information through mobile apps has been the focus of several FTC actions, Congressional hearings, proposed legislation, and at least a dozen class action lawsuits. In response to the confusion over how app developers should deal with privacy issues, the Mobile Marketing Association recently released its Final Privacy Policy Guidelines for Mobile Apps.

The proposed policy addresses several key areas, including: (a) what information is collected, and how it’s used; (b) whether the app collects location-based information; (c) whether third parties have access to any information; (d) whether consumers can opt-out of information collection or sharing; (e) how long information is retained; and (f) how that information is safeguarded. The MMA notes that additional provisions will be required if an app is directed to children under 13.

The MMA states that the guidance is intended to provide a starting point for companies that develop apps, but that it should not be considered an ending point. For more helpful advice, read about 5 Privacy Tips for Location-Based Services.
 

• Email This
• Print
• Share Link

The year 2012 is certain to reflect U.S. consumers’ continued love affair with sophisticated smartphones and tablets. One of the driving forces in the popularity of these devices is their ability to run mobile apps using wireless location-based services (LBS). Among other benefits, LBS allow access to real-time and historical location information online – whether to facilitate a social interaction or event, play games, house-hunt or engage in many other activities.

However, with these benefits also come privacy risks. And it is not uncommon for some popular LBS-enabled tools to lack clear disclosure about personal information collection, how that data is used, and the process for consumer consent.

Our article posted recently on Mashable, "5 Privacy Tips for Location-Based Services," discusses several privacy "do's and don'ts" for designing mobile apps.

For a more in-depth discussion of these issues, plus other privacy law trends, join us on February 16 for Kelley Drye’s seminar and teleconference, “Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends.”

• Email This
• Print
• Share Link

Changes to privacy regulations, such as proposed revisions to the Children's Online Privacy Protection Act (COPPA), and continuously evolving technologies, including mobile apps with location-based services, can make it difficult for businesses to ensure their privacy practices are up to par.

On February 16, Kelley Drye will gather government leaders from the FTC and FCC, and thought leaders in the industry, for a discussion about new regulations, enforcement trends, and best practices to avoid consumer privacy risks. Please join us for "Privacy in 2012: What to Watch Regarding COPPA, Mobile Apps, and Evolving Law Enforcement and Public Policy Trends."

Email dcevents@kelleydrye.com to register for the live seminar or teleconference.

KEYNOTE SPEAKER

Peter Swire, Professor of Law, Ohio State University; former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget

PANEL 1:  COPING WITH COPPA: CHILDREN'S PRIVACY AND PROPOSED REVISIONS TO THE COPPA RULE

Ellen Blackler, Vice President - Global Public Policy, The Walt Disney Company

Mamie Kresses, Senior Attorney, Division of Advertising Practices, Federal Trade Commission

Saira Nayak, Director of Policy, TRUSTe

Moderated by partners Dana Rosenfeld and Alysa Hutnik of Kelley Drye & Warren LLP

PANEL 2:  MOBILE APPS: A PRIVACY AND CONSUMER PROTECTION HOT SPOT

Michael Altschul, Senior Vice President and General Counsel, CTIA

Jessica Rich, Associate Director, Division of Financial Practices, Federal Trade Commission

Jennifer Tatel, Associate General Counsel, Federal Communications Commission (invited)

Moderated by partners John Heitmann and Gonzalo Mon of Kelley Drye & Warren LLP

When:
February 16, 2012,  2:30 PM - 5:30 PM EST

Location:
Kelley Drye & Warren LLP
3050 K Street, NW, Suite 400
Washington, DC 20007-5108

And via audio webcast

RSVP:
Email dcevents@kelleydrye.com or contact Cassidy Russell at 202.342.8400.

This seminar is free of charge, but space is limited. Reserve your place today.

CLE and CPE credit may be available in certain jurisdictions.

• Email This
• Print
• Share Link

In June 2011, we wrote about a class action lawsuit filed against Michael Stores, Inc. (“Michaels”), accusing the arts and crafts retailer of violating a Massachusetts consumer protection statute when it collects and records zip codes during consumer credit card transactions. Last week, a Massachusetts District Court granted Michaels’ motion to dismiss the lawsuit after finding that the plaintiff failed to show cognizable injury. Nevertheless, the Court sent a clear message to businesses that collect customer information at the sales register by concluding that zip codes are personally identifiable information (“PII”) and Michaels may have violated the state statute when it requested plaintiff’s zip code during the sales transaction.

In Tyler v. Michael Stores, Inc., the plaintiff made a purchase at a Michael’s store with her credit card and, during the sales process, the cashier requested the plaintiff’s zip code. The plaintiff provided her zip code to the cashier allegedly based on the belief that it was necessary to complete the transaction. According to the plaintiff, Michaels then combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. The plaintiff argued that the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”

• Email This
• Print
• Share Link

On January 5, 2012, the FTC announced a settlement with Upromise, Inc., a membership service intended to help consumers save money for college, over charges that the company misled users about the extent to which it collected and transmitted their personal information through a “Personalized Offers” feature on a web browser toolbar, and then failed to adequately secure the user information that it collected. The FTC claimed that Upromise’s alleged actions were unfair and deceptive and violated the FTC Act.

FTC’s Complaint Allegations: Upromise provides a membership service that allows users to contribute to a college savings account by collecting rebates that are acquired when users purchase goods and services from Upromise partner merchants. Upromise offered users a downloadable web browser toolbar that highlighted Upromise’s partner merchants appearing in a user’s search results, thereby allowing users to more easily identify merchants that provide the college-savings rebates.

According to the FTC Complaint, when users enabled the “Personalized Offers” feature, the toolbar collected and transmitted the names of the websites visited by users and the links that were clicked on by users, as well as information that users entered into websites, including search terms, user names and passwords, and financial transaction information. The Commission also alleged that users who downloaded the toolbar were led to believe that any personal information collected would be removed before it was transmitted, and that Upromise had implemented adequate security safeguards to protect the personal information transmitted.

Settlement Provisions: In resolving these allegations, the FTC settlement bars Upromise from using its web browser toolbar to collect users’ personal information without clearly disclosing the extent of its data collection practices. Per the settlement, this disclosure must be made before consumers’ installation of the web browser tool, and appear separately from any “end user license agreement,” “privacy policy,” “terms of use” page, or similar document.

Upromise also must destroy any personal information previously collected through the “Personalized Offers” feature, obtain consumers’ consent before installing or re-enabling its toolbar products, and notify users how to uninstall the toolbars currently residing on their computers. The settlement further bars Upromise from making material misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information, and requires the company to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years. Going forward, a violation of the settlement could expose the company to up to $16,000 per violation.

What This Settlement Signals: The settlement with Upromise underscores that, in 2012, the FTC will continue to hold companies accountable for providing clear and conspicuous disclosures about the extent to which online-based products and services actively and passively collect personal information, whether companies are obtaining affirmative consent from consumers for such data collection, and appropriately securing the personal data in their control. It will be a busy year.

This post was written by Alysa Z. Hutnik and Matthew Sullivan.
 

• Email This
• Print
• Share Link

On December 8, 2011, the Federal Trade Commission (FTC) sponsored a workshop in Washington, D.C. to discuss the privacy implications of facial recognition technology. The web cast is available here.  Facial recognition technology has been integrated in a wide range of products and services, including online social networks, digital billboards and mobile apps, which raise a host of privacy and security concerns, the FTC said.

• Email This
• Print
• Share Link

Facebook has agreed to settle Federal Trade Commission (“FTC”) charges alleging that the social network company engaged in deceptive practices that enabled third-party access to Facebook users’ private information, including personal history, photos, videos, and Friend Lists, without providing users with adequate notice or obtaining their prior consent.

The proposed settlement, which would impose privacy requirements that are similar to those in the FTC’s settlement with Google that became final in October 2011, follows complaints over Facebook’s privacy practices that were filed with the FTC in December 2009 by the Electronic Privacy Information Center (“EPIC”) and a coalition of consumer groups.

The FTC Complaint

The FTC’s administrative complaint alleges a number of violations of Section 5(a) of the FTC Act, which prohibits deceptive or unfair acts or practices in or affecting commerce, including allegations that (1) Facebook users’ personal information was made publicly-available despite repeated representations by Facebook that such information would remain private; (2) applications (“Apps”) available through the Facebook platform could access personal information without Facebook users’ knowledge or consent; and (3) Facebook falsely stated that it complied with the United States – European Union (“EU”) Safe Harbor Framework:

• Personal Information Available to Third-Parties following Unilateral Changes to Privacy Settings: The FTC alleged that Facebook users were not given adequate notice that certain private information would become publicly-available following changes to Facebook’s privacy settings, and were not given meaningful choice about whether they agreed to the public status of their information. Further, the FTC alleged that, despite statements by Facebook that personal information was not shared with advertisers, users’ User ID information became available to an advertiser whenever a user clicked on an advertisement. The FTC also alleged that personal photos and videos remained available on Facebook even after such content was deleted by a user or the user deactivated his or her Facebook account.

• Apps Access to Private Information: The FTC alleged that Apps available on the Facebook platform could access users’ personal information even when the information was unrelated to the operation of the app or when certain information was designated by users as “Friends Only.” The FTC also alleged that Facebook’s “Verified Applications” program was deceptive as it did not employ verification procedures or security safeguards that exceeded the level of protection applied to any other App on the Facebook platform.

• Noncompliance with U.S.–EU Safe Harbor Framework: The FTC alleged that, despite representations within Facebook’s privacy policy that the company complied with the U.S.-EU Safe Harbor Framework, Facebook’s privacy practices violated the U.S. Safe Harbor Privacy Principles of Notice and Choice.

Terms of the Proposed Settlement

The proposed settlement, which is subject to public comment through December 30, 2011, imposes robust requirements on Facebook, including the following:

• Before sharing user information with a third party in a manner that materially exceeds the restrictions imposed by a users’ privacy settings, Facebook must:
  • Disclose (1) the information that will be shared, (2) the identity or categories of the third parties that will receive the information, and (3) that such sharing exceeds the restrictions imposed by the users’ privacy settings. Notably, this disclosure must be separate from any “end user license agreement,” “privacy policy,” or “terms of use;” and
  • Obtain express affirmative consent to the sharing from the user.
     
• Facebook must ensure that personal information cannot be accessed by a third-party within 30 days after a user deletes such information or terminates his or her Facebook account.

• Facebook must develop, implement, and maintain a written comprehensive privacy program including designated employees responsible for the program; identification of reasonably foreseeable risks and safeguards used to mitigate risks; and establishing steps to select and retain service providers.

• Facebook must hire a third party privacy and data security professional to conduct assessments of Facebook’s practices every two years for the next twenty years.

What this Means for Business

This FTC action is the latest reminder to businesses that handle consumer information that they must carefully evaluate whether their privacy practices are consistent with promises made in their policies and whether they provide adequate disclosures and obtain meaningful consent from customers when these practices change. With this high-profile settlement, the FTC has signaled that it will continue its aggressive privacy-related enforcement activity regarding the handling of consumers’ personal information.

This post was written by Dana Rosenfeld, Alysa Z. Hutnik, and Matthew Sullivan.
 

• Email This
• Print
• Share Link

As we’ve noted in previous posts and a recent webinar, the way companies collect information through mobile apps has been the focus of several FTC actions, Congressional hearings, proposed legislation, and at least ten class action lawsuits. In response to the confusion over how app developers should deal with privacy issues, the Mobile Marketing Association recently released guidance in the form of a proposed annotated privacy policy.

The proposed policy addresses several key areas, including: (a) what information is collected, and how it’s used; (b) whether the app collects location-based information; (c) whether third parties have access to any information; (d) whether the app works with third parties to deliver targeted ads; (e) whether consumers can opt-out of information collection or sharing; (f) how long information is retained; and (g) how that information is safeguarded. The MMA notes that additional provisions will be required if an app is directed to children under 13. Notably, the MMA does not discuss how the privacy policy should be disclosed.

The MMA states that the guidance is intended to provide a starting point for companies that develop apps, but that it should not be considered an ending point. Given the number of variables in this area, companies are strongly encouraged to consult an attorney before developing an app or drafting a privacy policy. The MMA is seeking public comment on the guidance until November 18, 2011. 

• Email This
• Print
• Share Link

House Commerce, Manufacturing and Trade subcommittee chairman, Mary Bono Mack (R-CA), said yesterday that safe data legislation is her number one priority for the committee. She did acknowledge though that movement on such a bill is unlikely until Energy and Commerce Chairman Fred Upton (R-MI) completes his work on the Joint Select Committee on Deficit Reduction (the Super Committee).

Dissatisfied with current efforts by industry, and concerned that government may do too much, the Chair sought input from industry, advertising, and consumer representatives yesterday at a hearing titled "Understanding Consumer Attitudes Toward Privacy." Committee staff continue to meet with stakeholders on HR 2577, the SAFE Data Act, seeking to develop a national data breach/notification law that would protect consumers, but is no broader than necessary in regulating industry.

With the Super Committee due to present its recommendations in late November and Congress to vote on them before year's end, we anticipate that data breach legislation will be more likely to move in the House next year. Data breach/notification legislation was also mentioned as a priority of the House Republican Cyber Security Legislative Strategy released last week by Rep. Mac Thornberry (R-TX). House Republican leadership has proposed tackling cyber security in small bites, rather than the comprehensive approach of the Senate, making it possible that a data breach bill could move through the House early next year. Stay tuned for further developments.

This post was written by Margaret E. Hardon and Alysa Z. Hutnik.

• Email This
• Print
• Share Link

On October 11, 2011, the FTC announced a settlement with Frostwire LLC, a peer-to-peer (“P2P”) file-sharing application (“app”) developer, and its Principal, over charges that the company publicly exposed its app users’ personal information without the users’ authorization, and misled users about the extent to which downloaded files would be shared with a P2P file-sharing network. The FTC claimed that Frostwire’s alleged actions were unfair and deceptive and violated the FTC Act. The 20-year settlement bars Frostwire and its Principal from making material misrepresentations about the file-sharing features of its apps, and from configuring its apps to cause inadvertent public sharing of users’ files. The settlement also requires that Frostwire provide users with clear and prominent disclosures that include information on how to disable the apps’ file-sharing features. Going forward, a violation of the settlement could expose the company and its Principal to up to $16,000 per violation.

Frostwire offers two free P2P file-sharing applications, including Frostwire Desktop for desktop and laptop computers, and Frostwire for Android for mobile devices that use Google’s Android operating system. Both apps enable users to share files ― including photos, videos, documents, and music ― with other users of the Gnutella P2P file-sharing network. According to the FTC Complaint, Frostwire configured the default settings on its Frostwire for the Android app so that, immediately upon installation, the app would publicly share personal files that were stored on the app users’ mobile device. The Commission also alleged that consumers who installed certain versions of the Frostwire Desktop app onto their computer were led to believe that files downloaded from the Gnutella network would not be shared unknowingly with other users of the P2P network.

This case marks the FTC’s third action against a mobile app developer in the past 60 days. In August 2011, the FTC announced a settlement with W3 Innovations over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”), and, in September, the FTC announced a settlement with a marketer that claimed its mobile apps treated acne. These settlements reinforce statements made by the FTC earlier this year concerning its scrutiny of marketing and privacy practices associated with mobile apps. This latest settlement also further underscores that the FTC will hold app developers accountable when the app does not incorporate “privacy-by-design” features, and instead uses default settings that enable the app to share personal data with third parties without the consumer’s informed consent.

Matthew P. Sullivan contributed to this post.

• Email This
• Print
• Share Link

On September 21, 2011, FTC Bureau of Consumer Protection Director David Vladeck sent a letter to the court appointed consumer privacy ombudsman in the Borders Group, Inc. (Borders) bankruptcy proceeding advising against the sale of Border's customer information absent customer consent or significant restrictions on the transfer and use of the information. The letter was sent in response to a request from the ombudsman seeking a written description of the agency's concerns regarding the possible sale of the customer information, which includes purchase history and email addresses from over 20 million customers. According to the FTC's letter, the purchase history information dates back to May 2005, and includes merchandise purchased (e.g., books and videos), the location of the purchase (store, kiosk, or internet), Borders Rewards number, and, in some cases, credit card information.

As described in the letter, Border's 2006 and 2007 privacy policies stated that it would "only disclose your email address or other personal information to third parties if you expressly consent to such disclosure." (Emphasis in original). In addition, a revised policy from 2008 contained the same language restricting the sale or rental of personal information, but also included information describing circumstances under which Borders might disclose personal information, as follows:

• Email This
• Print
• Share Link

The previously bi-partisan approach to data security has fallen victim to the increasingly rigid and high pitched partisan divide on Capitol Hill. Yesterday, the Senate Judiciary Committee passed three data security/breach notice bills, Senator Leahy's S. 1151, Senator Feinstein's S. 1408, and Senator Blumenthal's S. 1535, on a party line vote. Similar versions of Senator Leahy's Personal Data Privacy and Security Act of 2011 have been passed through the Judiciary Committee with Republican support in the past. Yesterday, Republicans decried the bills as burdensome regulations that would kill jobs.

The Senate also faces jurisdictional divide that could derail the momentum for a national data security and breach notice law. The Senate Commerce Committee postponed its markup of S. 1207 this week but intends to reschedule soon. The Rockefeller/Pryor bill similarly seeks to implement a national standard for protecting consumer data and notification of breaches. And, it is not clear how Senate leadership will sort out moving the four similar data breach bills, which are likely to become part of a comprehensive cyber security bill that Majority Leader Reid is putting together in the Senate.

The House has seen equal partisan divide over Rep. Bono Mack's data security bill -- HR 2577 -- which moved through subcommittee before the summer recess on a partisan vote, but has since stalled. Like the Senate, similar data breach legislation has passed through committee with bipartisan support in the past, but the Bono Mack bill angered Democrats for its narrower approach to consumer protection. Consultation with Democrats and other groups will be ongoing before the bill can move to a full committee vote.

Even if the partisan arguments can be resolved, the process for getting a House and Senate bill on data security/breach legislation conferenced is unclear with the different approaches that each chamber are taking toward moving cyber security legislation. The House Republican leadership is in the process of developing a strategy for cyber security legislation but intend to pass individual bills through regular order rather than a comprehensive package that could be married with the Senate's large bill. Like most issues in Congress today, there are more questions than answers. We will be closely following these developments, and will post further updates if it appears there is traction on a break-through bill.

This post was written by Margaret E. Hardon and Alysa Z. Hutnik.

• Email This
• Print
• Share Link

On September 15, 2011, the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing examining the European Union’s (EU’s) privacy and data collection regulations and their impact on U.S. companies and the Internet economy. The hearing – Internet Privacy: The Impact and Burden of EU Regulation – focused on the EU’s 1995 Privacy Directive and the burdens and benefits of the EU Privacy model as a means to inform the policy debate on potential U.S. privacy law.

In1995, the EU promulgated the Data Privacy Directive, requiring EU member countries to enact privacy laws that satisfy certain baseline privacy principles such as notice and consent, and protecting the flow of personal data from EU countries to non-EU counties that lack privacy protections. The Directive applies to EU affiliates of U.S. companies but was amended in 2000 to include a “safe harbor” provision for U.S. companies that voluntarily comply with data protection principles.

Rep. Bono-Mack opened the hearing noting that, while it is not clear that privacy legislation is warranted at this time, it is clear that industry is not doing enough to protect U.S. consumers’ privacy. At the same time, she indicated that the government needs to avoid regulatory overreach. The key, she noted, will be to balance innovation and privacy.

The first panelist, Nicole Lamb-Hale, Assistant Secretary for the Commerce Department’s International Trade Administration, opposed adopting the EU privacy model for the U.S., emphasizing instead a greater need for flexible baseline privacy principles adaptable to technological advances, harmonized with sector-by-sector regimes.

Representatives raised concerns for U.S.-based multinational corporations, noting inconsistent EU regulatory privacy regimes, fractured compliance with the EU Privacy Directive and inconsistent enforcement targeting a “seemingly” disproportionate number of U.S. companies. Representatives were also concerned about the costs the EU privacy regulation imposed on the Internet economy.

MIT Professor Catherine Tucker testified that her studies revealed that the “advertising performance” – a measure of the will of consumers to make purchases based on online ads –
decreased 65% after the EU privacy directive was implemented. On the other hand, Ohio State Law Professor Peter Swire, suggested that without privacy protections, U.S. companies risk facing protectionist policies and the loss of business when conducting international commerce as more countries adopt the EU privacy model.

The hearing is the second in a series of privacy hearings the Subcommittee plans to hold this fall and adds important international considerations to the growing privacy debate in Congress.

This post was written by Christopher S. Koves and Dana B. Rosenfeld.

• Email This
• Print
• Share Link

Late this week, the FTC issued its proposed amendments to the Children’s Online Privacy Protection Rule ("COPPA Rule"). The proposed revisions are intended to maintain privacy protections for children who increasingly participate in social networking and interactive gaming, or engage in online activities through a mobile device. The FTC seeks written comments to the proposed amendments, which are due by November 28, 2011.

Kelley Drye prepared an advisory that outlines the proposed revisions to the Rule and describes what the new requirements would mean for businesses that have an online presence with respect to obtaining parental notice and consent, what data they can collect from children, and corresponding safeguards and data minimization requirements, to avoid incurring civil penalties of up to $16,000 per violation.

• Email This
• Print
• Share Link

On August 31, 2011, California amended its consumer data breach notification statute (Cal. Civ. Code §§ 1798.29 & 1798.82) to require that an entity, following a breach of its electronic data, provide certain information in its notice to affected consumers. Under the current law, entities subject to a data breach must provide written or electronic notice of the breach to affected consumers; however, the law does not require that the notice include specific information. Senate Bill 24, which goes into effect on January 1, 2012, requires that any agency, person, or business provide consumers with a plain-language notice that includes:

• The entity’s name and contact information;
• A general description of the breach, and the type of personal information that was subject to the breach;
• The date of the breach or, if this information is unknown, an approximation of when the breach occurred;
• Whether notification of the breach was delayed as a result of a law enforcement investigation; and
• Contact information for the major credit reporting agencies.

Under the amended law, an entity that is the subject of a data breach affecting more than 500 California consumers also must forward an electronic copy of the consumer notification to the California Attorney General. Moreover, the revised law advocates, but does not require, that an entity provide (1) information on the efforts it has taken to protect affected consumers; and (2) recommendations on how consumers can protect themselves.

Notably, these changes to California’s data breach notification statute follow a recent flurry of proposed federal legislation—including H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, and S.1408—calling for a nationwide data breach notification requirement.
 

This post was written by Alysa Z. Hutnik and Matthew P. Sullivan.
 

• Email This
• Print
• Share Link

Groupon recently made sweeping and material changes to its web-posted privacy statement, allowing the company to collect more information and share it more freely with other companies. The changes allow Groupon to collect more information, including location information for its app-driven Groupon Now! deals, and to share it more freely with others, such as Expedia for its Groupon Getaways product. The NextDailyDeal article, "Groupon Privacy Statement Revisions Reflect Rapid Changes in the Marketplace and an Evolving Legal and Regulatory Landscape," provides a quick take on the what and why with respect to the changes to Groupon’s privacy statement.

Groupon’s revised privacy statement brings it more in line with FTC guidance, key concepts in proposed legislation, and developing industry best practices. Now is a good time for all players in the online advertising ecosystem to take stock of their current privacy statements and decided what needs re-working to reflect their company’s current business model and the evolving legal and regulatory landscape.
 

• Email This
• Print
• Share Link

On August 15, 2011, the FTC announced a settlement with W3 Innovations, LLC (“W3”) and its President over charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) when W3 allegedly collected and disclosed personal information from tens of thousands of children without their parents’ consent. The settlement requires W3 and its president to pay $50,000, and they must delete all personal information collected in violation of COPPA. The case marks the FTC’s first action against a mobile applications (“apps”) developer.

W3 Innovations, which does business as Broken Thumbs Apps, develops and distributes apps including Emily’s Girl World and Emily’s Runway High Fashion (the “Emily Apps”), which are sold through the “Games-Kids” section of Apple, Inc.’s App Store. According to the FTC Complaint, the Emily Apps encouraged children to submit emails, including messages to friends and requests for advice, that were then posted as publicly-available blog entries to the “Emily’s blog” feature available on all Emily Apps sites. Children also could submit comments in response to the blog entries using a standard comment form that required users to provide their name and email address.

The FTC’s COPPA Rule (16 C.F.R. Part 312) is triggered when companies collect online personal information about children under the age of 13. The Rule requires website operators to notify parents and obtain their express consent before they collect, use, or disclose such children’s personal information. The Rule also requires website operators to post a clear and conspicuous privacy policy at each area of an online site that collects personal information from children. The FTC alleged that W3 violated COPPA when it did not obtain parental consent before it (1) collected and maintained at least 30,000 email addresses from children who participated in the “Emily’s blog” feature; and (2) allowed children to publicly post information, including personal information, to the blog and comments section of the app.

As this case demonstrates, the FTC is following through on statements that it made earlier this year that it was actively investigating a number of privacy issues associated with mobile devices, including features targeting children. Given the FTC’s interest in this area, companies seeking to enter the mobile app market or engage a younger audience using games or other online features should be aware of the key considerations and best practices (see here and here) that can help reduce risks resulting from increased legal and regulatory scrutiny.

This post was written by Alysa Z. Hutnik and Matthew P. Sullivan.

• Email This
• Print
• Share Link

The rise of smartphones, wifi hotspots, and high-speed data networks has spurred new technology-based business models and the exponential growth of consumer information online. Chief among new technologies, the use of mobile applications—“apps”—has exploded in the past few years. From near-constant posts on Facebook to attacking the green pigs on Angry Birds, consumers have opened their hearts and wallets to mobile apps. While the upside is great, companies and developers considering a mobile app should also be mindful of the legal and business pitfalls of mobile apps and implement a process to sidestep common challenges.

A new article from E-Commerce Law & Policy, “Avoiding Trouble When Adding an App to the Business Model,” outlines several of these potential pitfalls and the best practices to avoid them.

For more information about this uncharted legal territory and emerging "rules for the road" for developing and marketing mobile apps, click here to view and listen to a recording of the Kelley Drye webinar, “Mobile Applications: Privacy and Data Security Considerations.”

• Email This
• Print
• Share Link

On Tuesday, July 19, 2011, President Obama announced that he will nominate Maureen Ohlhausen to serve as a Commissioner with the Federal Trade Commission (“FTC”). Ms. Ohlhausen has broad experience in the areas of online privacy and consumer information protection, and the nomination underscores the increasing importance of such issues to the Commission.

Currently, Ms. Ohlhausen is a partner at Wilkinson Barker Knauer LLP, where she works in the firm’s privacy, data protection, and cybersecurity practice. Prior to joining the firm, she served as policy counsel for the Business Software Alliance trade group. From 1997 to 2008, Ms. Ohlhausen worked at the FTC, including as Director of the Office of Policy Planning, where she handled issues related to e-commerce, advertising, and technology. During her tenure with the Commission, she led an Internet access task force that focused on net neutrality and broadband competition.

Earlier in her career, Ms. Ohlhausen worked at the U.S. Court of Appeals for the D.C. Circuit as a law clerk for Judge David Santelle, and clerked for Judge Robert Yock of the U.S. Court of Federal Claims. Ms. Ohlhausen is a former adjunct law professor and a graduate of the George Mason University Law School. She received her bachelor’s degree from the University of Virginia.

If confirmed by the Senate, Ms. Ohlhausen will replace Republican William Kovacic, whose term expires in September. She would serve a seven-year term on the Commission’s five member board.
 

• Email This
• Print
• Share Link

On July 14, 2011, a joint House Energy and Commerce Subcommittee hearing focused on online privacy policy and perspectives of the ‘big three’ federal agencies with potential jurisdiction over online privacy – the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and the National Telecommunications and Information Administration (NTIA). The hearing, Internet Privacy: The Views of the FTC, the FCC, and NTIA, offered a comprehensive review of the state of online consumer privacy and the appropriate industry and government response to developments in online behavioral advertising and tracking. The hearing comes on the heels of a flurry of online privacy and data security legislation introduced in recent weeks and months. Witnesses included FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez and NTIA Administrator Lawrence E. Strickling.

The hearing touched on issues including the economic impact of privacy regulation, defining the harms caused by data collection, agency jurisdiction and authority, protecting children, data security, and social networking. Click here for more detail regarding the major themes discussed at the hearing, which expanded the growing legislative record on online privacy and security.

• Email This
• Print
• Share Link

In early June, a slew of new bills began circulating in Congress that, if enacted, would impose uniform national data security and data breach notification requirements on entities that collect sensitive personal information. On June 7, 2011, Sen. Patrick Leahy (D-VT) introduced the Personal Data Privacy and Security Act (S. 1151), which was followed on June 15, 2011 by Sen. Mark Pryor’s (D-AR) and Sen. Jay Rockefeller’s (D-WV) Data Security and Breach Notification Act (S. 1207). The Leahy bill was referred to the Senate Judiciary Committee while the Pryor-Rockefeller bill was referred to the Senate Commerce Committee. Also on June 15, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing on Rep. Mary Bono Mack’s (R-CA) Secure and Fortify Electronic Data Act (SAFE Data Act) Discussion Draft, which has yet to be formally introduced but is very similar to the Pryor-Rockefeller bill.

Click here to read more on the common themes among the three bills, as well as the respective civil and criminal penalties each bill imposes for violations.

While it is unclear if legislation will pass this term, privacy and data security issues continue to gain momentum in Congress. What is clear is that companies need to exercise due diligence in their data security and privacy practices or potentially subject themselves to unwanted litigation, Congressional pressure and regulation – not to mention negative media coverage.

• Email This
• Print
• Share Link

Last week, Rhode Island enacted a new law that prohibits businesses from requesting any part of a customer’s social security number during a sales transaction. Section 6-13-17 of the Rhode Island Consumer Empowerment and Identity Theft Prevention Act, which became effective immediately, modifies a previous state law provision that permitted businesses to request a portion of a consumer’s social security number -- usually the last four digits -- in connection with the purchase of a product or service. A violation of the law can result in a criminal misdemeanor, as well as a private right of action permitting an award of damages, attorney’s fees, costs, and injunctive relief.

The law has few exemptions: licensed insurance companies, certain financial and health care or pharmaceutical-related services, and credit card offerors, but not other types of businesses in which some form of credit may be extended to the consumer as part of the sale. For example, some companies before they sell subsidized equipment to the consumer, usually as part of a term-length service contract, will collect part of a consumer’s social security number to request a credit report with a permissible purpose. This new law appears to restrict that practice. Accordingly, companies that sell to consumers in Rhode Island and typically request any form of social security number information during the sales process should pay close attention to the new law.
 

• Email This
• Print
• Share Link

June has seen a flood of activity on Capitol Hill seeking to protect consumer geolocational privacy. Within a few days of one another, three bills were introduced that, if enacted, would require consumer consent before geolocation information attained through mobile devices can be collected, used or disclosed to third parties. On June 14, 2011, Rep. Jason Chaffetz (R-UT) and Rep. Robert Goodlatte (R-VA) introduced the Geolocational Privacy and Surveillance Act (GPS Act) (H.R. 2168) in the House and, on June 15, 2011, Sen. Ron Wyden (D-OR) introduced companion legislation in the Senate (S. 1212).  Similarly, on June 16, 2011, Sen. Al Franken (D-MN) and Sen. Richard Blumenthal (D-CT) introduced geolocational privacy legislation of their own – the Location Privacy Protection Act of 2011 (S. 1223).

Notably, both the GPS Act and Franken-Blumenthal bill prohibit the collection, use or disclosure of consumer geolocation data without consumer consent subject to certain exceptions. The GPS Act is broader in scope than the Franken-Blumenthal bill, applying to federal and state government entities as well as commercial service providers while the Franken-Blumenthal bill is limited to commercial service providers. Both bills would impose criminal and civil penalties for unlawful collection, use and disclosure of geolocation data and empower the states and Federal government to enforce consumer data protection. These bills build on the growing legislative activity on privacy and data security potentially impacting any entities that utilize consumer geolocation data.

Communications service providers, mobile application developers and device-makers that utilize geolocation data need to be aware of these developments and the potential implications for their business models and data flow processes. Click here for more on the key provisions of the GPS Act and Franken-Blumenthal bill.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Last month, a class action lawsuit was filed against Michael Stores, Inc., accusing the arts and crafts retailer of violating a Massachusetts consumer protection statute when it collects and records zip codes during consumer credit card transactions. The lawsuit, Tyler v. Michaels Stores, Inc. filed in Massachusetts District Court, comes several months after the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc., which held that zip code information is personal identification information (“PII”) under California’s Song-Beverly Credit Card Act. (the “Song-Beverly Act”).

In Tyler, the plaintiff made a purchase at a Michael’s store with her credit card and, during the sales process, the cashier requested the plaintiff’s zip code. The plaintiff provided her zip code to the cashier allegedly based on the belief that it was necessary to complete the transaction. The plaintiff asserts that Michaels subsequently combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. According to the complaint, the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”

The plaintiff in Tyler argues that Mass. Gen. Laws ch. 93 § 105 should be interpreted in a manner consistent with the California Supreme Court’s interpretation of the Song-Beverly Act in Pineda. In that case, the court held that a cardholder’s zip code qualified as “information concerning the cardholder. . .” as used within the Song-Beverly Act’s definition of PII. As a result, businesses in California face restrictions from requesting and recording a person’s zip code as part of a credit card transaction. The Massachusetts statute defines PII in a different, though arguably similar fashion to the Song-Beverly Act. Specifically, the statute includes an open-ended definition of PII that is not limited to a credit card holder’s address or telephone number. The plaintiff in Tyler is seeking injunctive relief, damages, and attorneys’ fees.

Businesses that collect customer information at the sales register should pay close attention to this case, as it may signal lawsuits in other states with statutes that are similar to California’s Song-Beverly Act.

• Email This
• Print
• Share Link

On June 2, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing examining threats posed to data security and the much publicized data breaches at Sony and Epsilon. The hearing, “Sony and Epsilon: Lessons for Data Security Legislation” focused on the recent Epsilon and Sony data breaches and the need for comprehensive federal data security and data breach notification legislation. The representatives and witnesses discussed the delays in Sony’s notification, the extent of the breaches, and the prospects for federal legislation.

The hearing is part of a comprehensive review of data security and electronic privacy initiated by the House Energy and Commerce Committee that was announced on June 1, 2011. According to the Committee press release, the first phase of the Committee’s review will focus on online data security and data theft prevention, followed later in the year by a focus on broader electronic privacy concerns.

At the hearing, Rep. Bono Mack called for a “uniform national standard” for data security and data breach notification, announcing her intent to introduce legislation. The hearing built on the growing record in Congress supporting data security and data breach notification legislation that could ultimately supersede the current patchwork of state laws. Click here to read more about the hearing.

• Email This
• Print
• Share Link

Kelley Drye partner Alysa Hutnik and associate Christopher Loeffler's article, “4 Legal Considerations for Building a Mobile App,” was recently featured on Mashable.com, a top source for news in social and digital media, technology and web culture. The Mobile Apps article explores the mobile app business and provides practical considerations for app developers (or for those partnering with app developers) to keep in mind to help reduce legal risk in this area.

For more information about this uncharted legal territory and emerging "rules for the road" for developing and marketing mobile apps, click here to view and listen to a recording of the Kelley Drye webinar, “Mobile Applications: Privacy and Data Security Considerations.”

• Email This
• Print
• Share Link

Last week the FCC announced plans to hold a June 28, 2011 public education forum on consumer and privacy issues implicated by mobile Location Based Services (LBS) tracking. The FCC seeks input from consumers, industry, and academia on a variety of related topics, including industry best practices and the use of mobile devices by children.

The forum comes amid growing concerns over consumer mobile privacy, including recent disclosures that Apple and Google mobile devices collected geolocation information without consumer consent. Recent media coverage has drawn attention to the collection, use and disclosure of geolocation information and there is mounting Congressional interest in protecting consumer online and mobile privacy (see Kelley Drye Advisory and chart summarizing federal consumer privacy legislation).

The forum is being conducted in consultation with the FTC. The FCC’s March 2010 National Broadband Plan called for the two agencies to work together on privacy issues and in July 2010, a Joint FTC/FCC Privacy Task Force was formed. The forum will inform a forthcoming FCC staff report that may help shape the ongoing privacy debate and may clarify the role the FCC intends to play in this area. Comments on the LBS forum and the topics raised for inclusion in the proposed FCC staff report are due July 8, 2011.

For more information about this uncharted legal territory and emerging "rules for the road" for developing and marketing mobile apps, click here to view and listen to a recording of the Kelley Drye webinar, Mobile Applications: Privacy and Data Security Considerations.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Last week, Sen. Patrick Leahy (D-VT) introduced a bill to update the 25-year-old Electronic Communications Privacy Act (ECPA), by seeking enhanced privacy protections during government searches of electronic communications, cloud computing and location-based services. The ECPA Amendments Act of 2011 (S. 1011) would require a search warrant based on probable cause before service providers could disclose to federal authorities the contents of a customer’s electronic communications, whether stored or in transit – eliminating the “180-day rule.” However, the bill would require service providers to provide access to non-content communication records, such as subscriber name and address, in response to federal or state administrative or grand jury subpoenas. Federal authorities can also seek delayed notification to a service provider’s customers for investigative purposes.

The bill also implicates the mobile industry, proposing geolocation information privacy protections. If enacted, the bill would prohibit required disclsoure of contemporaneous or prospective geolocation information without a warrant or court order, with exceptions for emergency response and historical data. At a recent hearing (see Kelley Drye Adivsory), Sen. Leahy expressed his desire for broad application of ECPA to mobile providers and mobile applications. Notably, the bill would insulate electronic communication service providers from liability for providing geolocation information to federal authorities.

Communications providers need to be aware of their current and potential obligations under ECPA and the way in which they respond to requests for sensitive customer information from federal authorities. ECPA reform and the flood of recent privacy legislation (see Kelley Drye Chart) may impact mobile and Internet service providers’ responsibilities to protect customer privacy.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

On May 19, 2011, the Senate Commerce Subcommittee on Consumer Protection, Product Safety and Insurance held a hearing on protecting consumer privacy in the dynamic mobile marketplace created by smartphones and the advent of mobile applications or “apps.” The hearing, “Consumer Privacy and Protection in the Mobile Marketplace,” comes amid growing concerns for consumer mobile privacy in the wake of reports that mobile app providers collect personal information without privacy policies or consumer consent on data collection and usage.

Representatives from the FTC, Facebook, Google, Apple, the Association for Competitive Technology and Common Sense Media offered views on mobile privacy from the government, industry and consumer perspectives. The panelists addressed the Senator’s privacy concerns, focusing on FTC authority over privacy, behavioral advertising targeting children, and the specific mechanisms and procedures used to protect mobile privacy.

The hearing builds on a May 10, 2011 Senate Judiciary Subcommittee hearing that also focused on mobile privacy and a number of legislative proposals to address consumer online and mobile privacy concerns. Please click here for a summary of the hearing.

• Email This
• Print
• Share Link

On May 16, 2011, Kelley Drye’s Privacy and Information Security practice hosted the webinar Mobile Applications: Privacy and Data Security Considerations, which is part of the practice group’s Cutting Edge Technology Series. More than 80 participants joined Kelley Drye partners Dana Rosenfeld, John Heitmann, and Alysa Hutnik to review key privacy and legal principles applicable to companies that develop, market, sell, or deliver mobile applications (“apps”).

The mobile apps market, which is projected to reach nearly $4 billion in 2011, is attracting increased legislative and regulatory scrutiny, along with substantial litigation exposure, due, in part, to recent high-profile investigative news stories highlighting consumer privacy and data protection issues and omissions in consumer disclosures. During the webinar, the Kelley Drye partners reviewed the mobile app ecosystem and the current legal landscape. The partners then discussed emerging best practices and due diligence measures that can be used by all entities in the mobile app delivery chain to help minimize their legal risks. The plan encourages ongoing collaboration between a company’s legal, business, and technical stakeholders, and offers practical considerations relating to app design, the consumer experience, and contractual protections.

Please contact any of the partners noted above with questions concerning the privacy and data security principles applicable to the mobile apps space.
 

Click here to view and listen to a recording of the webinar.

• Email This
• Print
• Share Link

On May 12, 2011, the FTC announced that it reached a $3 million settlement with online “virtual worlds” website provider Playdom, Inc., a Disney subsidiary, for allegedly violating its own privacy policies and collecting and disclosing personal information on hundreds of thousands of children without parental consent – potential violations of the Children’s Online Privacy Protection Act (COPPA).

Playdom owns and operates a number of online “virtual world” websites, including sites geared for children such as Pony Stars, where users can play online games, post profile pages and engage in other online activities. In the process, between 2006 and 2010, Playdom’s websites collected personal information on over 400,000 children under the age of 13. In July 2010, Playdom was acquired by a subsidiary of The Walt Disney Company.

COPPA requires website operators to maintain clear privacy policies and obtain parental consent prior to the collection, use or disclosure of personal information – such as name, address, email, and telephone number – for children under the age of 13. Playdom allegedly violated COPPA by collecting children’s ages and email addresses during online registration and enabling children-users to post personal information – their names, email addresses, instant messenger names and location information – on profile pages without first obtaining parental consent. Further, Playdom allegedly violated the FTC Act by misrepresenting on their privacy policies that children could not post profile pages, when in fact they could.

On May 11, 2011, the Department of Justice (on behalf of the FTC) formally filed a Complaint and entered the proposed $3 million Consent Decree and Order in the U.S. District Court for the Central District of California in Los Angeles. The $3 million Consent Decree marks the largest civil penalty doled out by the FTC under COPPA. This case and the growing list of cases involving online consumer privacy rights highlight the due diligence required when website operators and other companies collect, use and disclose consumer information (or acquire a company that does).

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

On May 10, 2011, the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to examine industry practices concerning the collection, retention, and use of consumer mobile device location information. The hearing, “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy,” was spurred by recent investigative news reports that Apple and Google have been secretly collecting and storing users’ mobile device location information. Two panels of witnesses, including representatives from the FTC, Department of Justice, Apple, and Google, briefed subcommittee members on the legal, enforcement, and technological aspects of the mobile location data issue.

The Senate hearing is the latest event during a particularly active period for consumer privacy and data security-related Congressional activity. In addition to hearings, a growing number of federal bills have been introduced in response to privacy and data security concerns.

Click here for a summary of the hearing, as well as a chart summarizing the various federal bills on point.

If this topic is of interest, don't miss the Kelley Drye & Warren LLP webinar, "Mobile Applications: Privacy and Data Security Considerations," on May 16 at 12:00pm Eastern.

• Email This
• Print
• Share Link

Do you know what kind of data your smartphone apps are collecting?

Understanding the flow of data, how it is shared, and whether your apps collect sensitive information such as mobile payments or location-based data is critical to avoiding regulatory scrutiny and litigation risks.

Join Kelley Drye on May 16 from 12 noon – 1:00pm EST for a webinar exploring this uncharted legal territory, “Mobile Applications: Privacy and Data Security Considerations.” Topics of discussion will include:

• The mobile ecosystem, including data flows and parties involved.
• Privacy and security considerations, including unintended data uses.
• Current issues in the legal landscape, including media coverage; inquiries and actions from Congress, the FTC, and FCC; litigation risks; and industry activity.
• Emerging “rules for the road” for developing and marketing mobile apps.

This webinar will address the privacy and information security questions that are top of mind for anyone involved in developing, marketing, selling, or serving mobile apps.

Kelley Drye Speakers:

Dana B. Rosenfeld
Chair, Privacy & Information Security Practice and Partner, Advertising & Marketing Practice

Alysa Z. Hutnik
Partner, Privacy & Information Security and Advertising & Marketing Practices

John J. Heitmann
Partner, Telecommunications and Privacy & Information Security Practices

Email dcevents@kelleydrye.com to register.

• Email This
• Print
• Share Link

Today, the FTC announced data security settlements with two companies based on allegations that the companies failed to employ reasonable data security measures. The twist in these cases, compared to prior FTC cases, is the focus on companies who act as service providers to businesses related to their employee data (as opposed to customer data).

The FTC settlements underscore:

1. that reasonably protecting employee/HR data is within the FTC's scope of enforcement under Section 5 of the FTC Act, and
2. the importance for all businesses to (a) exercise due diligence in selecting vendors that will have access to their employee/human resources data, and (b) confirm via contract and otherwise that the vendors have reasonable security measures in place (as to both the products being offered and the vendor's own business where the HR data will be maintained).

The Charges: In the two cases at issue, the HR service providers both incurred data breaches resulting in compromised employee information (e.g., employee names, addresses, social security numbers, dates of birth, direct deposit information). According to the FTC complaints:

• Ceridian (a payroll and human resource services provider) operated a web-based payroll processing service for small business customers. The FTC's allegations focused on the vendor's practice of storing the HR PII in plain text and indefinitely without a business need, remaining vulnerable to predictable SQL injection attacks, and not employing measures to detect and prevent unauthorized access to the PII. As a result, the FTC alleged the company lacked adequate network protections and mishandled its customers' employee information, resulting in a data breach that affected 28,000 employees of its small business customers.
• Lookout Services, Inc. markets a web-based compliance product for employers who need to maintain citizenship information about its employees. The FTC's allegations charged that the vendor failed to implement reasonable security safeguards, including the absence of reasonable security policies, inadequate passwords and user credentials, and an insecure web application, resulting in a data breach to the company's database that retained 37,000 social security numbers.

The Settlements: Under the settlements, Ceridian and Lookout Services must implement comprehensive information security programs that need to be independently audited every other year for 20 years. Additionally, the companies are barred from misrepresenting the privacy, confidentiality, and integrity of the personal information that they maintain in their systems. Violations of an FTC Order can subject a company to up to $16,000 per violation.

• Email This
• Print
• Share Link

On April 13, 2011, Representatives Cliff Stearns (R-FL) and Jim Matheson (D-UT) introduced privacy legislation that seeks to ensure that consumers have greater control and are better informed on the collection and use of their personal information. The Consumer Privacy Protection Act of 2011 would provide consumers with control over certain uses of personal information collected online and offline. Protections under the bi-partisan Stearns-Matheson bill include consumer notice requirements and the ability for consumers to limit disclosures of personal information to third parties.

The bill contains many provisions consistent with the Commercial Privacy Bill of Rights Act of 2011, introduced in the Senate by Senators Kerry (D-MA) and McCain (R-AZ) on April 12, 2011. Both bills would be enforced by the Federal Trade Commission (FTC), include a self-regulatory ‘safe harbor’ framework, permit the FTC to seek civil penalties for violations, preempt similar state laws, and exclude a private right of action. Contrary to the Kerry-McCain bill, the Stearns-Matheson bill does not cover certain telecommunications providers within its scope. Additionally, civil penalties under the Stearns-Matheson bill are set at double the amount permitted under the FTC Act (for a total of $32,000 per violation) with a maximum civil penalty of $500,000. The potential civil penalties under the Stearns-Matheson bill are greater per violation, but less overall, than the civil penalties proposed in the Kerry-McCain bill.

Click here for more information regarding the bill's provisions, as well as a chart summarizing the various federal bills on point.

• Email This
• Print
• Share Link

Following weeks of anticipation, on April 12, 2011 Senators John Kerry (D-MA) and John McCain (R-AZ) introduced comprehensive bipartisan legislation intended to provide consumers with greater control over the collection and use of personal information accessible through online and offline channels. The Commercial Privacy Bill of Rights Act of 2011 sets forth baseline fair information practice protections for consumers similar to those outlined in the December 2010 Department of Commerce Privacy Green Paper. Such protections would include consumer notice prior to the collection of personal information, and opt-in or opt-out consent mechanisms depending on the type of personal information collected and its intended use. Notably, the bill does not contain a Do Not Track provision, which distinguishes it from FTC staff recommendations and other privacy legislation/proposals.

The bill's coverage is broad: nearly all online and offline businesses fall within scope. Notably, this includes telecommunications providers, as well as non-profits, and the FTC would be the lead enforcer against such entities for violations, with the ability to levy $16,500 up to $3 Million in civil penalties for violations. Similar state laws would be preempted. The bill does not provide for a private right of action.

By proposing a number of black letter requirements on privacy and data security practices, and setting forth significant monetary penalty provisions for violations, the bill is clearly intended to change the legal status quo in the privacy realm. Click here for a summary of the key proposed changes to privacy and data security requirements set forth in the legislation.

• Email This
• Print
• Share Link

Google has agreed to settle Federal Trade Commission (“FTC”) claims alleging that the 2010 launch of Google Buzz, a social networking feature linking Gmail users with other people on Google’s network, involved deceptive tactics and violated Google’s privacy policy. The proposed settlement includes two firsts for the FTC:

• First FTC settlement that requires a company to implement a comprehensive privacy program
• First FTC settlement involving alleged violations of the U.S.-EU Safe Harbor Framework privacy requirements

The FTC Complaint

In its administrative complaint, the FTC alleged that: (1) some Gmail users who declined to enroll in Google Buzz were enrolled anyway; (2) Gmail users that enrolled in Google Buzz were not adequately informed that the people they email most frequently would be publicly disclosed through the “following/followers” function; and (3) the identities of Gmail users that later “turned off” Google Buzz were not removed from the social network. Google’s privacy policy stated that information would never be used “in a manner different than the purpose for which it was collected” without the user’s prior consent; however, the FTC alleged that use of information provided to Gmail was used for another purpose, the Google Buzz social networking feature, without the users’ consent.

• Email This
• Print
• Share Link

Our May 31, 2010 BNA Privacy & Security Law Report article, "Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers," summarized then-recent legislation introduced in Congress regarding an online marketing practice commonly known as “payment card data pass.” As described more fully in the Scrutiny article, payment card data pass occurs when a consumer’s credit or debit card information is passed on to a third-party merchant following a sale. Frequently, the third-party merchant uses the billing information to enroll the consumer in various negative option subscription programs, wherein the consumer’s silence, or failure to take action to cancel the agreement, is interpreted by the seller as the consumer’s ongoing acceptance to continue to receive and pay for the goods or services offered by the third party merchant. In many instances, consumers, regulators, and plaintiffs in class action suits have alleged that consumers are unaware that their billing information has been passed to the third party and that they have been enrolled in a negative option program.

Over the past year, Congress, state and federal regulators, and the private bar, have taken steps to ensure that rigorous consumer protections are in place when data pass offers are made. These protections affect not only the companies who receive the financial information from other companies, but also the merchants who are sharing the information with third parties. This article in the current issue of BNA Privacy & Security Law Report provides an update on several of the developments that have occurred since the publication of the Scrutiny article and discusses practical considerations for businesses engaged in online marketing in light of these recent developments.

Click here to download the article by Kelley Drye attorneys Alysa Z. Hutnik, Joseph D. Wilson, and Jeffrey A. Kauffman: “‘Payment Card Data Pass’ Rules Gain Some Teeth: An Update on the Legal Landscape.”

• Email This
• Print
• Share Link

On March 16, 2011, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing to examine online consumer privacy, with an emphasis on the use of behavioral targeting by online advertisers. The hearing, which included two panels of witnesses from the government and industry sectors, touched upon a growing number of legislative and regulatory proposals that attempt to strike a balance between protecting consumer privacy, ensuring continued business innovation, and preserving the free and diverse online content to which consumers have grown accustomed.

Committee members attending the hearing included Sen. John Kerry (D-MA), Sen. Mark Pryor (D-AR), Sen. Amy Klobuchar (D-MN), Sen. Johnny Isakson (R-GA), and Sen. Claire McCaskill (D-MO). Sen. Kerry, current Chairman of the Subcommittee on Communications, Technology, and the Internet, opened the hearing with statistics that reflect Americans’ concern about online tracking. He described online applications as “observational opportunities” for data collection companies, and noted the increasing ability to merge offline and online information to create highly-detailed consumer profiles. Stating that “we cannot let the status quo stand,” Sen. Kerry briefly described the legislation he is drafting with Sen. John McCain (R-AZ). The bill will propose a “commercial privacy bill of rights” that would establish a common code of conduct, which Sen. Kerry believes would encourage information sharing by establishing general protections for consumers while creating fair terms and conditions for online businesses.

Committee Chairman Jay Rockefeller (D-WV), who did not attend the hearing, issued a statement voicing his support for legislation that would impose basic privacy rules, and described self-regulatory efforts in the privacy area as “a failed experiment.”

A summary of the two panel sessions is set forth in the Kelley Drye client advisory.

• Email This
• Print
• Share Link

On February 11, 2011, Rep. Jackie Speier (D-CA) introduced “Do Not Track” legislation that would provide consumers with the ability to opt out of having their personal information tracked by online advertisers. If passed, the Do Not Track Me Online Act (H.R. 654) would direct the Federal Trade Commission (“FTC”) to promulgate regulations to establish standards for an online, consumer opt-out mechanism. Consumers would be able to opt out of the collection and use of their personal information, such as web activity, geolocation, IP address, name, physical address, email address, driver’s license or Social Security number, and financial account numbers, by online advertisers and website operators.

If enacted, the Act also would require online advertisers and website operators to disclose their data collection, use and disclosure practices, including identification of third parties that receive such personal information. The Act gives the FTC regulatory discretion to require that consumers have access to the data stored by the online advertiser or website operator.

The FTC and state Attorneys General would be able enforce the Act, and may seek civil penalties up to $11,000 per day for violations (maximum $5,000,000 for related violations), as well as injunctive relief.

• Email This
• Print
• Share Link

 This post was written by Dana B. Rosenfeld, Alysa Z. Hutnik, and Christopher M. Loeffler.

On February 10, 2011, the California Supreme Court released its decision in Pineda v. Williams-Sonoma Stores, Inc., holding that zip code information is personal identification information ("PII") under the Song-Beverly Credit Card Act (the "Song-Beverly Act") The court's decision restricts businesses in California from requesting and recording a person's zip code as part of a credit card transaction.

In Pineda, the plaintiff made a purchase at the retailer's store with her credit card and, during the sales process, the cashier requested the plaintiff's zip code.  The plaintiff believed that her zip code was necessary to complete the transaction, and provided it to the cashier.  The plaintiff later alleged that the retailer used the plaintiff's zip code information and her name to find the plaintiff's address and add it to the retailer's marketing database, in violation of the Song-Beverly Act.

Under the Song-Beverly Act, a business is prohibited from requesting, or requiring as a condition to accepting a credit card payment, the cardholder's personal information, which the business records.  The California Court of Appeal had previously held that a zip code, without additional information, was not PII in Party City Corp. v. Superior Court.  However, in Pineda, the California Supreme Court clarified California's broad interpretation of PII.  The court examined statutory language and legislative history in determining that zip code information is considered PII.

The Song-Beverly Act defines PII as "information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder's address and telephone number."  The court examined dictionary definitions of "concerning" (such as "pertaining to" and "regarding"), and stated that a cardholder's zip code is certainly information that pertains to or regards the cardholder.

To resolve the conflict posed by PartyCity, which stated that zip code was not PII because it pertains to a group of individuals that live in a certain area, as opposed to a single individual, the court provided three statutory explanations for its holding:

1. A zip code is readily understood to be part of an address, and the statute expressly prohibits collection of an address.  Thus, the word "address" in the Song-Beverly Act should be construed as encompassing not only a complete address, but also its components.
2. A complete address and telephone number (both of which may not be collected under the Song-Beverly Act), can refer to more than one individual residing at the address or location of telephone service.  The fact that a zip code may also refer to more than one person, does not make it dissimilar to an address and telephone number.
3. Address and telephone number are both information unnecessary to the sales transaction that, alone or together with other data such as the cardholder's name or credit card number, can be used for the retailer's business purposes.  Zip code information falls into this same category.

Further, the court examined the legislative history of the statute to support its holding that zip code information is PII.  The court stated:

1. When the Song-Beverly Act was revised to permit businesses to require cardholders to provide identification so long as it was not recorded, the revision was described as "a clarifying, non-substantive change."  The court stated that this suggests that the legislature understood the provision to already prohibit the requesting and recording of any of the information , including zip codes, contained on driver's licenses and state ID cards.
2. The Song-Beverly Act was revised to prohibit not only "requiring" the PII, but also "requesting" the information.  This revision was intended to prevent a retailer from circumventing the law by claiming that the customer voluntarily provided the data.

Businesses that operate in California and collect customer information at the sales register should pay close attention to how this decision may affect them, with particular attention to when personal information is being collected, and if it might reasonably be construed as being requested during the transaction, and as a mandatory request to complete the transaction.

• Email This
• Print
• Share Link

In recent years, companies have gotten in trouble for failing to get consent before sending text messages to consumers. In a series of lawsuits, courts have determined that many text message campaigns are subject to the Telephone Consumer Protection Act, and that the law requires companies to get consent before sending text messages. Many companies have also gotten in trouble for failing clearly disclose offer terms. For example, the Florida AG has challenged companies that buried the price of their services in the fine print. The costs of getting these things wrong can be high, with settlements costing many millions of dollars.

Although these types of cases are likely to continue, in 2011, mobile marketers are likely to see a greater focus on privacy issues. Indeed, when the FTC issued a preliminary staff report on privacy last year, the Commission cited various potential privacy issues in the mobile space. Last week, Mobile Commerce Daily published an article I wrote that outlines some of the key privacy issues in the mobile space. The article appears on page 22 of Mobile Commerce Outlook 2011.

• Email This
• Print
• Share Link

On January 21, 2011, Kelley Drye & Warren hosted the seminar and audiocast, "Privacy By Design, Choice, and Transparency: What a New Framework Will Mean for Business and Technology." The seminar highlighted key regulatory and legislative developments in privacy and information security law during the past year.

Click here to listen to the audio recording.

Dana Rosenfeld, Kelley Drye partner and chair of the firm's Privacy and Information Security practice, opened the seminar by reflecting on the emphasis in 2010 and going forward for 2011 on bringing greater clarity to commercial privacy practices for the benefit of both consumers and commercial entities. Six experts representing the federal agencies and policymakers integral to recent privacy initiatives spoke during two separate panel sessions. The first panel reviewed and expanded upon the separate privacy frameworks released in December 2010 by the Federal Trade Commission ("FTC") and the U.S. Department of Commerce1. The second panel included a discussion on the confluence of privacy policy and broadband adoption, along with perspectives on the privacy themes of greatest interest to the new Congress. Click here to read an overview of the key takeaways from each panel.

• Email This
• Print
• Share Link

Peter Swire, former Clinton Administration Chief Counselor for Privacy, joins the line-up at the Kelley Drye seminar, “Privacy by Design, Choice and Transparency: What a New Framework Will Mean for Business and Technology.”

Join us on January 20, live in DC or via teleconference.

KEYNOTE SPEAKERS:

Jessica Rich, Deputy Director, FTC Bureau of Consumer Protection

Ari Schwartz, Senior Internet Policy Advisor, National Institute of Standards and Technology, U.S. Department of Commerce

Aaron Burstein, Telecommunications Policy Analyst, National Telecommunications and Information Administration, U.S. Department of Commerce

Josh Gottheimer, Senior Counselor to FCC Chairman Julius Genachowski

Peter Swire, Professor of Law, Ohio State University; former Obama Administration Special Assistant to the President for Economic Policy, National Economic Council; and former Clinton Administration Chief Counselor for Privacy, U.S. Office of Management and Budget

WHEN: Thursday, January 20, 2011, 3:00 – 5:30PM

WHERE: Kelley Drye, 3050 K Street, NW, Suite 400, Washington, DC, 20007
               Remote access available.

REGISTER: Email dcevents@kelleydrye.com

• Email This
• Print
• Share Link

On January 20, Kelley Drye will host its 3rd annual privacy law seminar:

Privacy by Design, Choice and Transparency: What a New Framework Will Mean for Business and Technology.

As businesses strive to innovate and evolve using new technologies, federal agencies including the FTC and FCC, the Congress, and state regulators are increasing scrutiny on privacy practices in an effort to protect consumers.

On the heels of the FTC’s proposed new framework for protecting consumer privacy, Kelley Drye gathers government leaders from key federal agencies for a discussion about how new privacy regulations and best practices, pending privacy and data security legislation, and enforcement trends are impacting U.S. companies ranging from retailers to telecommunications and technology companies.

Email dcevents@kelleydrye.com to register.

KEYNOTE SPEAKERS:
Jessica Rich, Deputy Director, FTC Bureau of Consumer Protection
Josh Gottheimer, Senior Counselor to FCC Chairman Julius Genachowski

WHEN: Thursday, January 20, 2011, 3:00 – 5:30PM

WHERE: Kelley Drye, 3050 K Street, NW, Suite 400, Washington, DC, 20007
                Remote access available.

REGISTER: Email dcevents@kelleydrye.com

• Email This
• Print
• Share Link

Today, the U.S. Department of Commerce released its version of an online commercial data privacy framework in a report entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report is the result of a review by the Commerce Department’s Internet Policy Task Force, launched in April of 2010, which included staff from National Telecommunications and Information Administration (NTIA), the International Trade Administration, and the National Institute for Standards and Technology. The report comes two weeks after the Federal Trade Commission (FTC) released a preliminary staff report also on recommendations for an online privacy framework.

The report presents possible approaches to develop an online data privacy framework and proposes questions for further comment. The report includes four broad categories of

• Email This
• Print
• Share Link

FTC Commissioner Julie Brill spoke about the new Consumer Financial Protection Bureau (“CFPB”) during a keynote address she delivered at the International Association of Privacy Professionals Second Annual Conference on December 7th. While describing how Congress enacted the Fair Credit Reporting Act (“FCRA”) to protect consumers’ personal information, Brill stated that the FTC and CFPB “need to make sure our current rules continue, in this technologically advanced age, to protect consumers’ rights under the FCRA.” Given that the FTC already has several staff members involved in setting up the CFPB, it is no surprise that the FTC plans to work in tandem with the CFPB to enforce existing consumer protection laws and to understand new uses of data in connection with such efforts.

During the address, Brill also outlined the major components of the FTC’s preliminary staff report on privacy, "Protecting Consumer Privacy in an Era of Rapid Change” which includes a proposal for a Do Not Track mechanism that would permit consumers to control their tracking preferences at every website they visit. For a more detailed discussion of the FTC’s Report, including the concepts behind Do Not Track, please click here to read the Kelley Drye client advisory.

Visit our sister blog, www.ConsumerFinanceLawBlog.com for more commentary on the development of the CFPB.

• Email This
• Print
• Share Link

Further to our December 1, 2010 post "FTC Releases Proposed Framework for Protecting Consumer Privacy", Kelley Drye has issued a client advisory with a more detailed discussion of the FTC's proposed privacy framework.

• Email This
• Print
• Share Link

 This post was written by the Kelley Drye & Warren Privacy and Information Security Practice Group.

Today, the FTC issued its highly-anticipated preliminary staff report on privacy, “Protecting Consumer Privacy in an Era of Rapid Change.”  The report proposes a new privacy framework for businesses and policymakers and addresses the Commission’s view that self-regulation has, up to now, failed to provide adequate consumer protection.  The framework would be applicable to the online and offline data handling practices of consumer data that can be reasonably linked to a specific consumer, computer, or device.  The report is largely based on a series of three public roundtables held over the past year that explored current privacy approaches. 

The proposed framework set forth in the report includes three primary recommendations: (1) Privacy by design; (2) Simplified choice for consumers on how their data is handled; and (3) Greater transparency for consumers on privacy practices:

1)      Privacy By Design – Incorporate consumer privacy protections into everyday business and each stage of product or service development.  Specifically, the report recommends that this process should:

  a)      Provide for reasonable security for consumer data;

  b)      Limit personal data collection to only data needed for a specific business purpose;

  c)      Limit personal data retention to only the period of time needed to fulfill the specific business purpose;

  d)      Securely dispose of personal data no longer being used; and

  e)      Implement reasonable procedures to promote personal data accuracy.

Additionally, the report recommends that a business’s internal privacy practices should include:

a)      Dedicated personnel to oversee privacy issues;

b)      Employee training on privacy issues; and

c)      Privacy reviews for new products or services.

2)      Simplified Choice – Provide consumers with simpler, more streamlined choices about privacy practices. The report recommends that businesses should:

a)      Identify “commonly accepted” data practices for which consumer choice is not necessary, e.g., product fulfillment, improvement of internal business operations, fraud prevention, legal compliance, and first-party marketing; and

b)      Identify data practices that are not “commonly accepted,” and provide consumers with clear descriptions of these practices in context with the request (e.g., at the time when the consumer provides his or her information or through a universal mechanism);

c)      Offer consumers greater choice, particularly with data practices not “commonly accepted,” such as behavioral advertising. To this end, the Commission staff supports a “Do Not Track” tool that allows the consumer to decide whether to receive targeted ads.

3)      Greater Transparency – The report recommends the following measures for companies to take to make their data practices more transparent to consumers:

a)      Make privacy policies easy to understand and useful as a consumer tool to compare businesses’ practices;

b)      Provide consumers with access to data that companies maintain about them;

c)      Obtain affirmative consent for material, retroactive changes to data policies; and

d)      Educate consumers about commercial data privacy practices.

The proposals within the preliminary report are not directly enforceable regulations, but they are instructive and provide insight on what businesses can expect in privacy enforcement trends in the future. The report invites public comment with a filing deadline of January 31, 2011. 

Kelley Drye will be circulating a client advisory with a more detailed discussion of the FTC’s proposed privacy framework shortly.

• Email This
• Print
• Share Link

Hot off the presses -- registration for the ABA Consumer Protection Conference (Feb. 3, 2011, Washington DC) is now open! There is limited seating, so early registration is encouraged.

The all-star line-up of speakers includes:

• FTC Commissioners Julie Brill, Edith Ramirez, and J. Thomas Rosch
• Canada Privacy Commissioner Jennifer Stoddart
• Tony West, Assistant Attorney General, DOJ
• David Vladeck, Director, Bureau of Consumer Protection, FTC
• Joel Winston, Associate Director, Division of Financial Practices, FTC
• Sarah Mathias, Associate General Counsel, FTC

And representatives from the California and Texas Attorneys General Offices, the National Advertising Division, the Center for Democracy & Technology, Electronic Frontier Foundation, the American Bankers Association, among others.

Hot topics to be addressed include privacy, CP enforcement priorities, new substantiation rules, third party liability, social media, and more.

The full program brochure and registration information are available at the ABA's website. Space is limited so register soon to secure your spot, and please spread the word!

Kelley Drye partner Alysa Hutnik is a Conference Co-Chair.

• Email This
• Print
• Share Link

Yesterday, the FTC testified before a Senate Subcommittee and recommended that proposed data security legislation introduced by Senators Pryor (D., AR) and Rockefeller (D., WV) be modified so that its requirements and the FTC’s enforcement authority there under be extended to telecommunications common carriers. See my recent article discussing FCC and FTC jurisdiction over broadband providers – which may or may not make telecom common carriers exempt from the FTC Act.

S.3742, The Data Security and Breach Notification Act of 2010 (one of several pieces of proposed data security legislation in play on the Hill), would require a broad array of commercial and nonprofit entities to (a) implement reasonable data security policies and procedures, and (b) notify consumers of a security breach involving electronic records. It also would require covered entities to offer credit reports and monitoring services to consumers impacted by a data breach. The proposed legislation, which would preempt state law, also would give general concurrent enforcement authority to the FTC and state attorneys general.

At yesterday’s hearing, subcommittee members and hearing witnesses discussed the proposed legislation’s “exemption” provision and the manner in which it might address potential redundancy with other federal data protection statutes such as HIPPA, FCRA and the Gramm-Leach-Bliley Act. Notably, in making its recommendation to extend the reach of the proposed legislation to telecommunications common carriers, the FTC made no mention of Section 222 of the Communications Act and the FCC’s related CPNI rules which require such entities to comply with complex data security requirements and also require breach notification to consumers, as well as to the FBI and Secret Service.

The FTC’s testimony is the latest in a series of FTC actions signaling the agency’s concern regarding the amount of personal information telecom common carriers handle and its ability – or inability – to take enforcement action against such carriers.

• Email This
• Print
• Share Link

Increasingly, what's happening online is driving the evolution of privacy regulation. And increasingly, Americans are getting online via broadband connections.

The FCC, which is charged with spurring broadband deployment, adoption and innovation, recently concluded that privacy concerns are creating an impediment to these goals. A new article published in The Metropolitan Corporate Counsel provides an overview of the FCC's broadband privacy agenda and related jurisdictional issues, including shared jurisdiction with the FTC. The article also highlights initiatives by the Department of Commerce's Internet Task Force and the FTC regarding online privacy.

The article – available here – should prove useful for broadband providers and others in the Internet ecosystem looking for a quick read on how federal agencies, including those less obvious than the FTC, are engaging with respect to online privacy issues.

• Email This
• Print
• Share Link

Evolving threats to payment card data security and recent payment card data compromises have prompted Visa to issue a set of best practices for payment application companies to help mitigate security issues that lead to data compromises. Visa has recommended that acquirers, merchants, and agents should review Visa’s best practices and insist that their payment application vendors, integrators, and resellers fully adopt the new standards. Visa’s best practices recommend that payment application companies:

• Perform background checks on new employees and contractors prior to hire, including conducting investigations regarding previous employment history, academic history, credit history, and reference checks;
• Maintain an internal and external software security training and certification curriculum;
• Adhere to industry guidelines for data field encryption, tokenization, and PAN elimination across payment applications that use these technologies to help reduce risks to cardholder data;
• Adhere to a common software development life cycle based on ISO 12207 across payment applications to ensure that software is being properly developed and managed;
• Ensure that newly released payment application programs are compliant with the Payment Application Data Security Standard (“PA-DSS”); and
• Conduct application vulnerability detection tests and code reviews against common vulnerabilities and weaknesses prior to sale or distribution of payment application products to help companies identify and fix problems before the product release.

Visa noted that it has provided these standards to increase awareness of the payment application industry’s best practices and stressed that all payment system participants should maintain compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). The full list of Visa’s best practices can be found here.
 

• Email This
• Print
• Share Link

On August 19, 2010, FTC staff closed an investigation into Limewire, LLC.  Limewire provides both a free and purchasable version of P2P software.  Based on the staff's closing letter, available here, the investigation focused on a security vulnerability in legacy versions of the P2P software that put users at risk of inadvertently sharing sensitive information stored on their computers.

FTC staff decided to voluntarily close the investigation. Among the factors considered as part of closing the investigation were:

• Limewire's incorporation of safeguards into the updated software's user interface to help users avoid the inadvertent sharing of sensitive documents;
• the high attrition rate for legacy versions of the software;
• Limewire's inability to force users to update to a newer software version; and
• users of some of the older software versions may have been able to avoid disclosure of sensitive PII (noting that an act/practice is not "unfair" under Section 5 unless it causes consumer injury that is not reasonably avoidable by consumers).

Given the staff's ongoing concern that consumers using the legacy software may remain at risk of PII disclosures, the staff stated its expectation that Limewire would continue to advise consumers to upgrade the software and participate in industry efforts to inform consumers about how best to avoid inadvertent sharing of sensitive documents.

This closing follows the FTC's press release earlier this year that it had notified nearly 100 organizations that their sensitive PII records were on P2P networks, and that it was investigating several organizations whose customer or employee information had been exposed on P2P networks. That press release is available here.
 

• Email This
• Print
• Share Link

This post was written by Alysa Hutnik and Megan Olsen. 

On August 10, 2010, Illinois enacted H.B. 4658, the Employee Credit Privacy Act, which governs the use of credit information for employment purposes. The new law makes it an unlawful employment practice for an employer to:

• Fail to hire or recruit, discharge, or otherwise discriminate against an individual because of the individual’s credit history;
• Inquire about an applicant’s or employee’s credit history; or
• Obtain an applicant’s or employee’s credit report from a consumer reporting agency.

Employers may still use credit history for employment decisions if satisfactory credit history is an established bona fide occupational requirement. Significantly, this exception includes situations where the employee has access to confidential information (e.g., personal or financial information), as well as where state or federal law requires bonding or other security cover an individual holding the position, the individual has unsupervised access to business assets valued over a certain amount, or the position is a managerial position that involves setting the direction or control of the company. The new law also allows employers to continue to conduct background investigations on employees or potential employees as long as that investigation does not involve information on credit history. 

Illinois’s law will go into effect on January 1, 2011, making it the fourth state to restrict employer’s use of an individual’s credit history for hiring decisions (Oregon enacted a law earlier this year, and Hawaii and Washington had previously enacted similar laws in 2009 and 2007 respectively).
 

• Email This
• Print
• Share Link

The FTC has announced proposed revisions to its model notices for consumers, users, and furnishers of information under the Fair Credit Reporting Act (FCRA). The changes are designed to reflect new rules promulgated under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and to make the notices more useful to recipients. Revisions have been proposed for: 1) the Summary of Rights for consumers; 2) the Notice of Furnisher Responsibilities; and 3) the Notice to Users. The FTC is accepting public comment on the proposed changes until September 21, 2010. The FTC’s news release, proposed notices, and Federal Register notice are available at: http://www.ftc.gov/opa/2010/08/fcra.shtm.

• Email This
• Print
• Share Link

On Thursday, August 12, 2010, the Payment Card Industry Security Standards Council (PCI SSC) released a document highlighting proposed revisions to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).  These revisions will not include significant changes to the current standards, but seek to:

• Provide clarity on the requirements, scoping, and reporting;
• Improve flexibility for merchants to comply with the requirements;
• Address new and evolving risks;
• Incorporate industry best practices; and
• Eliminate redundancies.

The PCI SSC expects to provide a detailed summary of the changes and pre-release versions of the standards to internal participants in early September.  PCI DSS 2.0 and PA-DSS 2.0 should be released to the public on October 28, 2010, and will become effective on January 1, 2011.

Merchants, payment card processors, and payment application developers should continue to watch these developments to ensure that their services remain compliant with the standards.

• Email This
• Print
• Share Link

The emergence of privacy legislation from several committees in both chambers of Congress in the past months, combined with the ongoing FTC scrutiny of existing privacy practices of companies during the past year, reflect a growing concern for consumer privacy that may well lead to the establishment of standardized data security and data privacy regulations in the United States.

On Thursday, July 22, 2010, the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection, chaired by Representative Bobby Rush (D-IL), conducted a hearing to discuss the Chairman’s recently introduced H.R. 5777 – “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” (The Best Practices Act). Witnesses included key stakeholders on privacy policy – representatives from privacy advocacy organizations and private industry, and notably, David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

The Senate Committee on Commerce, Science, and Transportation held their hearing regarding online privacy practices and the future of consumer privacy protection on Tuesday, July 27, 2010,. Witnesses included FTC Chairman Jon Leibowitz, FCC Chairman Julius Genachowski, as well as representatives from Google, Apple, and Facebook.

Click here to read more about the new direction of privacy regulation in the Kelley Drye client advisory.

• Email This
• Print
• Share Link

On April 27, Visa announced a new rule to expressly restrict online marketers from sharing cardholder information to other companies without the consumer’s knowledge or active consent – a practice referred to as “data pass.” And on May 19, Senate Commerce Committee Chairman, Jay Rockefeller (D-W.Va.), proposed legislation (S. 3386), entitled “The Restore Online Shoppers’ Confidence Act,” which would prohibit companies from enrolling consumers in paid-subscription programs unless the consumers separately provided full payment card numbers to each company presenting an offer and affirmatively agreed to each offer. An article in the most recent BNA Privacy & Security Law Report, “Scrutiny on Payment Card Data Pass: Raising the Profile of Personal Information Sharing Among Marketers,” discusses the new restrictions on payment card data pass, and the areas of risk going forward for companies that continue to engage in the same or similar personal data sharing practices with third parties for marketing purposes when the practice is not clearly disclosed and agreed to by consumers.

• Email This
• Print
• Share Link

This post was written by Dana B. Rosenfeld and Megan L. Olsen.

On May 4, 2010, Rep. Rick Boucher (D-VA), the House Energy and Commerce Communications, Technology, and the Internet Subcommittee Chairman, and Rep. Cliff Stearns (R-FL), the Ranking Member of the Subcommittee, released a discussion draft of a privacy bill intended to address concerns about online behavioral advertising and place limits on how consumer personal information is collected, used, and disclosed. The bill would require organizations that collect consumer information to (1) clearly and conspicuously disclose privacy policies; (2) allow consumers to opt out of information collection and sharing and, in some instances, require the consumers’ express affirmative consent to the information practices; and (3) allow the FTC to adopt rules to implement and enforce the bill’s requirements.

The release of the draft bill follows increased legislative and regulatory scrutiny over consumer privacy protection measures—a topic that was extensively explored in recent House Energy and Commerce Committee hearings, in the Federal Trade Commission’s (FTC) recent series of privacy roundtables (see our previous posts here, here, and here), and addressed, at least partially, in the FTC’s April 26, 2010, announcement (see previous post) that it intends to develop Internet privacy guidelines. All of these efforts underscore that regulation of business practices concerning consumer information will likely remain at the forefront for the near future. A more detailed analysis of the Boucher/Stearns bill will be available through Kelley Drye and Warren's Advertising practice client advisories.

• Email This
• Print
• Share Link

This post was written by Christopher M. Loeffler and Alysa Z. Hutnik.

On Tuesday, April 26, 2010, the Federal Trade Commission (FTC) announced that it intends to develop Internet privacy guidelines. The guidelines will examine social networking sites' data handling practices and create a framework to guide social networks and others going forward. Given the FTC's recently concluded Privacy Roundtables (see our posts here, here and here) and pending action items from the roundtables, the guidelines for social networks may provide a foundation for further FTC privacy guidance for businesses down the road.

The FTC's recent announcement follows complaints by US and international lawmakers and regulators regarding the privacy practices of several online companies. Senators Schumer (D-NY), Franken (D-MN), Bennet (D-CO), and Begich (D-AK) sent a letter to Facebook, expressing concern about the changes Facebook made to its privacy policy that make more user information publicly available, permit third parties to store users' information indefinitely, and allow for Facebook technology to be integrated with other websites. The Senators also called on the FTC to issue rules or guidance in this area. As noted previously, international regulators also recently sent a letter to Google expressing concern about its privacy practices.

While privacy laws have been in flux for some time, these events underscore how rapidly the regulatory environment for online businesses is changing, and a close watch on the FTC's actions and guidance will be critical to navigate the compliance road ahead.

• Email This
• Print
• Share Link

 This post was written by Christopher M. Loeffler and Alysa Zeltzer Hutnik.

On April 19, 2010, data protection authorities from Canada, France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain, and the United Kingdom sent a letter to Google indicating their disappointment and concern related to Google's privacy practices.  The letter called out the Google Buzz social networking application stating that it "violated the fundamental principle that individuals should be able to control the use of their personal information," and noted that privacy concerns were previously raised with the launch of Google Street View.

The groups commented: "Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world."  Lastly, the groups urged Google to incorporate fundamental privacy principles into the design of its online services including:

• Collect and process only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• Provide clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• Create and apply default settings that are privacy-protective;
• Ensure that privacy control settings are prominent and easy to use;
• Ensure that all personal data is adequately protected, and
• Provide simple procedures to delete accounts and honor these requests in a timely manner.

Members from Canada, France, Israel, Netherlands, and Spain will hold a press conference in Washington, D.C. today to address the initiative.   As a practical matter, businesses should consider these concerns and recommendations when launching new online services and applications.

• Email This
• Print
• Share Link

In a post last month, we wrote that a Maine legislative committee had voted to repeal a recently-enacted online marketing law and predicted that the full legislature would soon repeal the law. Since then, Maine Governor John Baldacci signed an emergency measure to repeal the law.

Among other things, the Act To Prevent Predatory Marketing Practices Against Minors had prohibited companies from knowingly collecting personal information information from minors under 18 without parental consent. Although the Maine Attorney General had opined that the law might be unconstitutional and committed not to enforce the law, there had been a threat that private plaintiffs would use the law to challenge companies. Now that the law has been repealed, however, that threat is no longer present.

• Email This
• Print
• Share Link

This post was written by Christopher M. Loeffler and Alysa Zeltzer Hutnik.

• Email This
• Print
• Share Link

On March 17, 2010, the Federal Trade Commission (FTC) held its third and final discussion from its roundtable series-Exploring Privacy. Panel topics focused on Internet Architecture and Privacy, Health Information, Addressing Sensitive Information, and Lessons Learned and Looking Forward.

The FTC intends to use the information gathered from these roundtables to restructure and guide its privacy agenda. Next steps for the FTC may include extending the application of fair information practices, increasing enforcement of unfair and deceptive privacy practices, and developing privacy models and frameworks to address new technologies and business models. FTC officials have stressed, however, that the Commission will review and analyze the information received through the roundtables and other channels before adopting any specific policies or initiatives.

• Email This
• Print
• Share Link

This month, a Maine legislative committee voted to repeal a controversial online marketing law that was enacted just last year. Among other things, the law, entitled “An Act To Prevent Predatory Marketing Practices Against Minors,” prohibits companies from knowingly collecting personal information or health-related information from minors under 18 without parental consent.

Shortly after the law was enacted, a group of plaintiffs filed suit arguing that the law was unconstitutional. Maine Attorney General Janet Mills acknowledged that the law was “not presently enforceable” and the case was later dismissed. In the court order, the judge wrote the Attorney General had "acknowledged her concerns over the substantial overbreadth of the statute and the implications of [the law] on the exercise of First Amendment rights, and accordingly has committed not to enforce it."

The Maine legislature must still vote on the repeal in order to make it effective. But given the constitutional problems with the law and the inevitable challenges that would be filed against the law should it be enforced, we expect the law to be repealed within the coming weeks.

• Email This
• Print
• Share Link

Washington has enacted a statute, which we first discussed in a prior blog post, to provide financial institutions with a cause of action against certain entities involved in payment card transactions that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. The law goes into effect on July 1, 2010.

For more information about how the new law applies to businesses, processors and vendors, please reference the Kelley Drye Client Advisory.

• Email This
• Print
• Share Link

Earlier this month, the Senate and House of Representatives in Washington passed a new PCI bill, HB 1149. The bill now awaits the Governor’s signature but, if signed into law, will provide financial institutions with a cause of action against businesses or payment processors that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. This new cause of action in Washington is similar to the existing statute in Minnesota and shows that payment card industry data security standards (“PCI DSS”) compliance continues to be codified on a state by state basis. If the bill is signed, the law will go into effect July 1, 2010.

Under the bill, account information is defined as: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device (an “identification device" is defined as an item that uses radio frequency identification technology or facial recognition technology”); or (iii) the unencrypted primary account number on a credit card or debit card or identification device in combination with an unencrypted cardholder name, expiration date, or service code. The bill also provides that a processor or business suffering a data breach of its account information may now be liable to a financial institution for “reimbursement of reasonable actual costs related to the reissuance of credit and debit cards” incurred by the financial institution as part of efforts to mitigate current or future damages to its cardholders.

Notably, the bill exempts processors, businesses, and vendors from liability if the account information was encrypted at the time of the breach or if the business was “certified compliant with the payment card industry data security standards” in effect at the time of the breach. A business is considered compliant if its PCI DSS compliance was validated by an annual security assessment conducted no more than one year prior to the breach. If signed into law, the bill will represent another incentive for companies to become PCI DSS compliant and another area of potential liability in the absence of such certification.
 

• Email This
• Print
• Share Link

On February 24, 2010, an Italian court convicted three Google executives for violation of Italy's privacy laws resulting from a video that was posted to Google Video showing a group of teenagers bullying another teenager with disabilities. Judge Oscar Magi sentenced Google Global Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and former Google CFO and board member George Reyes to six-month suspended jail sentences and fines. The executives were acquitted of criminal defamation charges. This appears to be one of the first cases in which a privacy executive is held personally liable for the actions of a site's users

The prosecutors alleged that the executives did not take sufficient actions to keep the video off of Google's site, despite the fact that Google received only two complaints about the video, and it was taken down less than 24 hours after being posted.  Prosecutors stated that Google should have obtained consent from each party involved before permitting the video to be posted.  European law provides a safe harbor for ISPs and does not hold them liable for third party content, provided the ISP takes down any content that someone complains about and is considered offensive.

Members of the technology and privacy communities have described the decision as "terrible," "astonishing," and "troubling."  One commenter stated: "It is like prosecuting the post office for hate mail that is sent in the post."

If upheld on appeal, this decision could dramatically affect internet freedom.  It appears to continue Italy's strong consumer protection stance and attempted regulation of social media. In a previous post, we noted the recent draft decree issued by the Italian government that would require social media sites to screen all posted content that may be harmful to minors.

Although the Google executives will appeal the conviction, the case demonstrates that the Internet makes it easy to take actions globally, but what is permitted in the U.S. does not always work everywhere.

• Email This
• Print
• Share Link

This post was written by Dana B. Rosenfeld and Christopher M. Loeffler.

On February 22, 2010, the Federal Trade Commission (“FTC”) announced that it notified nearly 100 organizations that personal information about the organizations’ customers or employees is available on peer-to-peer (“P2P”) file sharing networks. [1] Most recently, it notified nearly 100 businesses and governmental entities through an Internet-wide sweep, the FTC discovered that sensitive data such as health-related information, financial records, drivers’ license numbers, and Social Security numbers have been shared from organizations’ computer networks and are susceptible to those who may use the data for illegal practices such as fraud or identity theft. The Commission has not publicly identified which organizations were notified, but it stated that letters were sent to large and small private and public entities including schools and local governments.

• Email This
• Print
• Share Link

This post was written by Kristin A. Hird and Dana B. Rosenfeld.

A broad coalition of advertising associations has agreed on a standard icon – a white “i” surrounded by a circle on a blue background dubbed the “Power I” – which will be added to websites and will link consumers to a page explaining how the advertiser uses their demographics and behavioral data to send certain ads. Developing the new symbol is part of self-regulatory principles agreed to by major advertising groups including the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in an effort to address the FTC’s concerns about the behavioral advertising industry’s activities.

There is no legal requirement that the groups’ members adopt the icon but the advertising coalition expects that most of its members, including many major online retailers, will begin running it by midsummer. It is anticipated that the icon will initially appear with phrases such as “Why did I get this ad?” and the Interactive Advertising Bureau has started an online advertising campaign to explain the icon to consumers. The idea is to establish an immediately recognizable and trusted symbol as well as provide a link to information.

It’s yet to be seen how widespread implementation of the self-regulatory principles will be by the coalition’s members, much less whether the coalition’s steps will be sufficient to ward off regulation by the FTC. But keep an eye out for the little blue icon appearing on websites this summer.
 

• Email This
• Print
• Share Link

On January 28, 2010, the Federal Trade Commission (FTC) held its second consumer privacy roundtable, focusing on technology’s effect on consumer privacy and its potential to both weaken and strengthen privacy protection. Similar to the first roundtable, the FTC’s second roundtable featured discussions by industry leaders, consumer groups, academics, and government representatives. The discussion continued to focus on whether the FTC’s current privacy paradigm, particularly the notice and choice model, sufficiently protects consumers and allows them to understand and control how personal information is collected and used.

• Email This
• Print
• Share Link

On Tuesday, January 19, 2010, the Electronic Privacy Information Center (EPIC) publicly posted a copy of a letter from the Federal Trade Commission (FTC) that responds to a complaint filed by 10 privacy rights organizations regarding Facebook's changes to its privacy settings.  In the letter, David Vladeck, director or the FTC's Bureau of Consumer Protection, noted that the "complaint raises issues of particular interest for us at this time," and referenced the privacy roundtables that the FTC is hosting to explore consumer privacy protection challenges, existing fair information practices, and the creation of a new privacy regulatory framework.  A summary of the first privacy roundtable is available here.

While there is no indication as to whether the FTC is currently investigating Facebook, as any investigation would remain non-public until the FTC files a complaint or closes the investigation, this is not the first time Facebook has come under fire for its privacy practices.  In 2008, a class action complaint was filed against Facebook alleging violations of various federal privacy and computer fraud laws, as well as California consumer protection and computer crimes laws, arising out of Facebook's Beacon program.  It was alleged that under the Beacon program, information about Facebook users' online purchases with Facebook's partners was shared with the users' network without the users' consent and used in targeted advertising.  A $9.5 million settlement agreement is pending approval by the court.

If your company maintains information about your customers, check with your legal counsel before adjusting privacy practices that could result in new or different customer information being shared.

• Email This
• Print
• Share Link

New privacy and data security laws took effect in Nevada and New Hampshire on January 1, 2010, continuing the trend of state governments acting to strengthen data security laws. Nevada’s law makes it the first state to mandate compliance with the entire Payment Card Industry Data Security Standard (PCI DSS) and imposes a requirement on businesses and government agencies to encrypt sensitive data transmitted or carried outside of the premises of the business or agency. New Hampshire’s law first sets forth restrictions regarding the use and disclosure of personal health information for marketing or fundraising purposes and then sets forth a disclosure requirement if there is unauthorized use or disclosure of protected health information in violation of New Hampshire law, even if the use or disclosure is allowed under federal law.

• Email This
• Print
• Share Link

On December 7, 2009, the Federal Trade Commission ("Commission" or "FTC") hosted a privacy forum, "Exploring Privacy: A Roundtable Series," addressing consumer privacy protection challenges, existing fair information practices, and the creation of a new privacy regulatory framework.  December's roundtable, held in Washington, D.C., was the first of three roundtables organized by the FTC focusing on consumer privacy protection.

Panelists in the first roundtable discussed a broad range of privacy-related issues, including emerging technologies' impact on consumer privacy, consumer expectations and knowledge of privacy protection, online behavioral advertising, regulation of information brokers, existing privacy regulatory frameworks, and privacy protection measures moving forward.

• Email This
• Print
• Share Link

On November 17, 2009, Kelley Drye & Warren hosted a seminar and webcast, “Privacy Law Paradigm Shift: Policymakers Respond to Rapidly Evolving Technologies,” addressing new developments in privacy and information security law, regulation, and enforcement. Kelley Drye Partner Tom Cohen, and Of Counsel Jodie Bernstein, opened the seminar with an overview of privacy law and a history of the Federal Trade Commission’s enforcement priorities. Nine experts from the government and private sector spoke during three different panel sessions, The New Privacy Paradigm, Developments in Data Security, and Privacy and New Technologies. This advisory provides an overview of the key take-aways from each panel.

A webcast recording is also available to view online.

• Email This
• Print
• Share Link