HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

The Federal Communications Commission (FCC) issued a Public Notice seeking comment on a Petition for Expedited Clarification and Declaratory Ruling (Petition) filed by Global Tel*Link Corporation (Global Tel) regarding its outbound calling practices.  The Petition raises several key issues under the Telephone Consumer Protection Act (TCPA) and related FCC rules, including whether certain calls (e.g., non-telemarketing calls) should be exempt from some of the TCPA’s restrictions on the use of prerecorded messages and autodialers.  Given the broad applicability of the TCPA and the FCC’s rules, this new proceeding could affect any company that places calls using prerecorded messages or autodialers.

The TCPA and the FCC’s rules prohibit, among other things, the use of automatic telephone dialing systems (“autodialers”) or artificial or prerecorded messages when calling, inter alia, telephone numbers assigned to wireless services, absent an emergency or the “prior express consent” of the called party.  Of note, the restriction against placing these calls to mobile phones without prior express consent applies regardless of whether the call is a “telemarketing” call.  The TCPA and the FCC’s rules also make it unlawful to place a non-emergency telephone call to a residential line “using an artificial or prerecorded voice” without the recipient’s “prior express consent” (although there are some exceptions).   

As described in the Petition, Global Tel provides outbound calling services for prison inmates.  For certain outbound calls (e.g., some calls from inmates to mobile phone numbers), Global Tel sets up a billing arrangement with the called party before connecting the called party to the inmate.  For example, when the inmate places a call, Global Tel initiates an “automated interactive voice response notification” to:

• inform the called party that an inmate is trying to make contact;
• get consent for the call; and
• establish the billing arrangement. 

Global Tel then puts the call through. 

Concerned that these inmate calls could expose the company to liability under the TCPA and the FCC’s rules, Global Tel has asked the FCC to exempt the calls from TCPA enforcement.  For example, Global Tel argues that the calls to landline phones serve no commercial purpose, are not an unsolicited advertisement, and include an opt-out mechanism so that called parties can avoid future calls.  Regarding calls to mobile telephone numbers, Global Tel argues, among other things, that it can be presumed that the inmate has dialed a cell phone number because that is the number at which the called party wishes to be reached.  Moreover, the called party may have only a wireless phone (and not a landline phone).  Separately, Global Tel argues that its calls do not involve the use of an autodialer or predictive dialer.

Although the Petition is focused on Global Tel’s situation, the FCC’s decision in this proceeding could affect many companies that rely on the use of prerecorded messages or autodialers as part of their communications strategy.  Nonetheless, the FCC has established a very short comment period for this item – comments will be due just 15 days after the item appears in the Federal Register, and replies are due 25 days after the item appears in the Federal Register.

• Email This
• Print
• Share Link

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Share Link

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Share Link

A new white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation,  highlights the importance of building privacy into new "Smart Grid" technologies from the outset.  The paper is co-authored by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, Jules Polonetsky and Hogan’s Christopher Wolf.  Wolf and Polonetsky co-authored the paper in their capacity as co-chairs of the Washington-based Future of Privacy Forum.

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.”

The paper outlines Commissioner Dr.Ann Cavoukian’s SmartPrivacy concept and how it can be used to address the privacy concerns raised by the Smart Grid.   

• Email This
• Print
• Share Link

Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other "the best part about the Internet is that no one knows you are a dog".  Even today, many people feel they enjoy complete privacy when interacting online, especially with certain social media sites.  But times have changed from when anonymity meant there were no obvious consequences to online conduct.  The proliferation of the use of social media is much in the news, and the legal issues also are proliferating.

Hogan & Hartson has just authored an advisory, available by clicking here, setting forth the considerations that arise when social media is used by three different groups — an entity itself, the employees of that entity, and third parties in reference to the entity. We discuss the benefits of social media, as well as issues and risks, from each of these three angles.

Also, the U.S. Food and Drug Administration recently announced that it will hold a two-day public hearing in November on how pharmaceutical companies use the web and social-media tools to market their products.  This is the first step in a process that will establish guidelines for drug makers using the tools of social networking.  The Hogan & Hartson advisory on this development is available by clicking here.

• Email This
• Print
• Share Link

When the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

A host of businesses and colleges are hoping that old adage has no relevance when it comes to new laws to protect kids online.  Maine's  “Act To Prevent Predatory Marketing Practices Against Minors,” effective September 12, 2009, was the source of major controversy and litigation over the Summer because of the law's extreme overbreadth.  See, e.g.  "Child-Proofing Your Ads: New Maine Law restricts Marketing to Minors", National Law Journal (August 4, 2009)   

A lawsuit brought to enjoin the law from going into effect resulted in the plaintiffs and Maine's Attorney General agreeing that the law could violate the First Amendment to the United States Constitution because of its overbreadth.  U.S. District Judge John A. Woodcock dismissed the lawsuit without prejudice, observing that "[t]he Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications ... and accordingly has committed not to enforce it.”  The Order goes on to say any private suits brought under the law “could suffer from the same constitutional infirmities.”   Thus, most observers believe that businesses run little risk from non-compliance with the law in light of the Judge's observations even though they are dicta.

Even the sponsor of  the law now recognizes that it has problems, but according to press reports blames that on the fact that no one raised any issues during the public hearings on the legislation leading to the law. The law is expected to be revised when the Maine legislature reconvenes in January 2010.

It was over the course of the Summer when Maine’s leaders came to recognize that the hastily-passed law, although bearing a laudable pro-kids/anti-predation title, may not have been exactly what they thought it was. The closer look prompted serious second thoughts and the lawsuit that effectively stays enforcement of the law.

• To start with, the Maine law goes well beyond predatory practices because it covers all marketing to people under 18 in Maine, whether you know they are under 18 or not. And it greatly exceeds the scope of the federal Children’s Online Privacy Protection Act of 1998  (“COPPA”). 
  • On a national level, COPPA requires web site operators to obtain verifiable parental consent before collecting personal information online from children.  While COPPA applies to children under13 years old, the Maine law includes anyone under age18 and makes no distinction between information collection online or offline – it all is covered whether the business has a commercial web site or not. And unlike COPPA, which does not provide for a private cause of action, the Maine law allows individuals to bring civil suits and to seek punitive damages, equitable relief and attorney costs.
• Section 9552 of the Maine law prohibits knowingly collecting orreceiving "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent." It also prohibits selling, offering to sell or otherwise transferring to another "health-related information or personal information about a minor."
• Section 9553 flatly prohibits using health-related or personal information about a minor for "marketing a product or service to that minor or promoting any course of action for the minor relating to a product." There is no parental consent exception.   So, while businesses may be able to collect, receive and sell a minor's information, as long the is verifiable parental consent, they may not use that information for marketing regardless of parental consent prior to collecting the data.

Like many state privacy laws, the coverage of the law extends to those wherever located who collect information from state residents.  Thus, businesses nationwide are covered. And those businesses appear to be prohibited from sending to those under 18 in Maine any marketing information, even materials requested by Maine kinds like college information and volunteer service brochures. No provision is made in the law for non-profit or educational institutions.  And, again, notably, the law does not require knowledge that the person to whom marketing information is sent is under 18, making compliance even more difficult.

At web sites where kids have signed up legally, the sites are banned from communicating with those people if there is a marketing message, even where there is a bona fide request for information.  

And so, businesses of all types would have a hard time figuring out how to exclude Maine’s minors from their marketing efforts without thwarting their legal right to send information to people in the 49 other states, DC and the territories.  That is why the lawsuit seeking an injunction against the law going into effect was brought.  The judge's order avoided an injunction against the State but made it clear that the law had Constitutional deficiencies. 

States often are heralded as incubators of our nation’s privacy laws, but in Maine, the “baby” may not be exactly what the parents expected.

• Email This
• Print
• Share Link

The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited.  Judge Richard Tallman, who authored the court's opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the Ninth Circuit had attempted to comprehensively address the standing requirements under CAN-SPAM. 

The plaintiff, James S. Gordon, operated a website through which he provided email addresses for himself and friends and family members.  He intentionally registered these email addresses with 100-150 email mailing lists.  After the addresses began receiving commercial email, Gordon filed suit against many of the companies, including Virtumundo, Inc., that had sent such email.

The CAN-SPAM Act is primarily enforced by the Federal Trade Commission and state Attorneys General.  However, the Act does provide a private right of action for a "provider of Internet access service adversely affected by a violation."  The Ninth Circuit held that Gordon failed to satisfy either prong of this standing requirement. 

In addressing the service provider prong of the standing requirement, the court noted that the CAN-SPAM Act does not limit standing to traditional Internet service providers and cited to two lower court decisions that held that the social networking services MySpace and Facebook qualified as "access services."  While explicitly declining the opportunity to set forth a general test as to what it means to be "a provider of Internet access service ," the court found that Gordon's service was limited to setting up email accounts and passwords and executing other administrative tasks, which was not enough to raise him to the level of Internet access service provider within the meaning of CAN-SPAM.  Gordon's online access was provide by Verizon, and GoDaddy provided the service that enabled Gordon to create the email addresses and the personalized web site; according to the court, both of these entities could have a compelling argument that they are Internet access service providers.

As for the second prong of the standing requirement, CAN-SPAM itself does not define "adversely affected."  The Ninth Circuit noted that "the harm must be both real and of the type experienced by ISPs."  Where there is suspicion that "a plaintiff is not operating a bona fide Internet access service," courts should take an especially close look at the cited harms.  The court found that Gordon had failed to argue that he had suffered any real harm as contemplated by the CAN-SPAM Act.  He did not have to hire additional personnel, nor did he experience the technical concerns or costs that may be attributed to commercial email.  Rather, the court found that Gordon intentionally sought out and benefited financially from the burdens of which he later complained and could not be considered "adversely affected."

Finally, the court also held that Gordon's state law claims regarding allegedly misrepresented email header information were preempted by CAN-SPAM.  The court held that Gordon's claim that the "from lines" of the emails failed to clearly identify Virtumundo as the sender, did not rise to the level of "falsity or deception," the only type of state law commercial email claim excepted from CAN-SPAM preemption.

Gordon's claims were therefore denied on three counts:  (1) he was not an Internet access service provider; (2) he was not adversely affected; and (3) his state law claims were preempted by CAN-SPAM.  Three strikes and this plaintiff is out.

• Email This
• Print
• Share Link