HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

• Email This
• Print
• Share Link

The Federal Communications Commission (FCC) issued a Public Notice seeking comment on a Petition for Expedited Clarification and Declaratory Ruling (Petition) filed by Global Tel*Link Corporation (Global Tel) regarding its outbound calling practices.  The Petition raises several key issues under the Telephone Consumer Protection Act (TCPA) and related FCC rules, including whether certain calls (e.g., non-telemarketing calls) should be exempt from some of the TCPA’s restrictions on the use of prerecorded messages and autodialers.  Given the broad applicability of the TCPA and the FCC’s rules, this new proceeding could affect any company that places calls using prerecorded messages or autodialers.

The TCPA and the FCC’s rules prohibit, among other things, the use of automatic telephone dialing systems (“autodialers”) or artificial or prerecorded messages when calling, inter alia, telephone numbers assigned to wireless services, absent an emergency or the “prior express consent” of the called party.  Of note, the restriction against placing these calls to mobile phones without prior express consent applies regardless of whether the call is a “telemarketing” call.  The TCPA and the FCC’s rules also make it unlawful to place a non-emergency telephone call to a residential line “using an artificial or prerecorded voice” without the recipient’s “prior express consent” (although there are some exceptions).   

As described in the Petition, Global Tel provides outbound calling services for prison inmates.  For certain outbound calls (e.g., some calls from inmates to mobile phone numbers), Global Tel sets up a billing arrangement with the called party before connecting the called party to the inmate.  For example, when the inmate places a call, Global Tel initiates an “automated interactive voice response notification” to:

• inform the called party that an inmate is trying to make contact;
• get consent for the call; and
• establish the billing arrangement. 

Global Tel then puts the call through. 

Concerned that these inmate calls could expose the company to liability under the TCPA and the FCC’s rules, Global Tel has asked the FCC to exempt the calls from TCPA enforcement.  For example, Global Tel argues that the calls to landline phones serve no commercial purpose, are not an unsolicited advertisement, and include an opt-out mechanism so that called parties can avoid future calls.  Regarding calls to mobile telephone numbers, Global Tel argues, among other things, that it can be presumed that the inmate has dialed a cell phone number because that is the number at which the called party wishes to be reached.  Moreover, the called party may have only a wireless phone (and not a landline phone).  Separately, Global Tel argues that its calls do not involve the use of an autodialer or predictive dialer.

Although the Petition is focused on Global Tel’s situation, the FCC’s decision in this proceeding could affect many companies that rely on the use of prerecorded messages or autodialers as part of their communications strategy.  Nonetheless, the FCC has established a very short comment period for this item – comments will be due just 15 days after the item appears in the Federal Register, and replies are due 25 days after the item appears in the Federal Register.

• Email This
• Print
• Share Link

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print
• Share Link

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print
• Share Link

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA).  Both rules have public comment periods of 60 days and are scheduled to be published in the Federal Register on January 13, 2010.  Final rules are expected to be issued in the spring of 2010.

EHR Incentives for “Meaningful Use”

The CMS Proposed Rule defines the criteria for “meaningful use” of certified electronic health record (EHR) technology. “Eligible professionals” (EPs) and hospitals that meet this criteria will be eligible for incentive payments beginning in 2011.

CMS proposes to phase in meaningful use criteria in three stages. The Proposed Rule focuses on the Stage 1 criteria, and CMS plans to propose Stage 2 and Stage 3 criteria in future rulemaking, with a goal of issuing proposed Stage 2 standards by the end of 2011 and proposed Stage 3 standards by the end of 2013. 

For Stage 1, which begins in 2011, CMS has proposed 25 objectives, or measures, for EPs and 23 objectives for eligible hospitals, all of which must be met in order for a provider to be deemed a meaningful EHR user.

Standards, Implementation and Certification Criteria

The ONC Interim Final Rule sets forth initial standards, implementation specifications and certification criteria for EHR technology.  These provisions specify the capabilities and related standards that certified EHR technology must include in order to support the proposed Stage 1 requirements for meaningful use.  This Rule goes into effect 30 days after publication in the Federal Register.

According to ONC, the standards set forth in the Rule “rely heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7 (HL7), the National Institute of Standards and Technology (NIST) and Integrating the Healthcare Enterprise (IHE).”  The standards, which fall into the categories of vocabulary, content exchange, transport and privacy/security, also rely upon classification and nomenclature systems such as SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP and RxNorm. 

ONC will issue a separate Notice of Proposed Rulemaking relating to the testing and certification process for EHRs and EHR Modules in early 2010. 

• Email This
• Print
• Share Link

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

• Email This
• Print
• Share Link

I was honored to be invited to speak at the IBM IT Services Legal Summit today in New York City on the topic of ethics and privacy.  As a launching pad for my discussion of privacy ethics, I used the episode from earlier in the year involving Justice Scalia and Fordham University Professor Joel Reidenberg whose privacy law class created a "digital dossier" on the Justice and his famiiy, using publicly available online information.

It seems unlikely that there are workable ethical guidelines to restrict access to and use of publicly available information on the Internet.  If information is on the Internet, searchable through Google, it is unlikely society can set new norms to restrict access. 

[P]ending a societal change in the ethics of what we do with information we can access online, what can be done?

Well, one place to start is at the input side of things. Before people reveal information about themselves or allow data to be collected about them, since it appears to be fair game once it is collected, what is the ethical duty to put people on notice on the collection side? 

I said that the duty, in which privacy lawyers play an important role, is to provide clear, easy-to-access notice to consumers before data is collected, referencing the recent Sears case at the FTC and the ongoing debate abut behavioral advertising.

A copy of my prepared remarks is available here. 

• Email This
• Print
• Share Link

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print
• Share Link

The Federal Trade Commission has just announced that it will host a series of day-long public roundtable discussions on the East and West Coasts "to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data."  The first roundtable discussion will occur on December 7th at the FTC Conference Center in Washington.

It has been widely-reported that the FTC is examining new ways to think about privacy and these discussions will further that examination. 

As the Commission explained the focus of the first roundtable:

Such [technology and business] practices [to be examined] include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The initial questions the FTC has presented for comment at the first workshop are:

1. What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information?  For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    
2. Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations?  How determinative should consumer expectations be in developing policies about privacy?
    
3. Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?

The FTC has explained that individuals and organizations may submit requests to participate as panelists in the December dicussion, and may recommend topics for inclusion on the agenda. The requests and recommendationshave been directed to privacyroundtable@ftc.gov.   More details can be found here.

• Email This
• Print
• Share Link