HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

ePrivacy:  On 9 November, the European Data Privacy Supervisor (EDPS) issued press release 09/13 on the ePrivacy Directive, which will be amended soon as part of the E-Communications Regulatory Framework.  The EDPS is an independent body responsible for data privacy within EU institutions.  As would be expected, it takes an expanded view of data privacy, because that is its sole focus and responsibility.  The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

• For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
• Reinforced protection against interception of users’ communications through the use of - for example - spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
• The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and
• Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

• Email This
• Print

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print

 The European Network and Information Security Agency (ENISA) has just published a paper on cloud computing, which discusses the benefits and risks of cloud computing from a security perspective. The paper also includes recommendations for improving information security in the context of cloud computing and provides a - in our view very helpful - set of questions that organizations can use to assess whether or not providers of cloud computing services are sufficiently protecting the data entrusted to them.

The key conclusion of the paper is that the “cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective.” 

The paper is particularly timely in light of the European Commission’s public consultation on the legal framework for the fundamental right to protection of personal data, which closes at the end of next month. ENISA’s paper includes specific recommendations for the European Commission’s future consideration. It rightfully points out that certain issues related to the EU Data Protection Directive and Article 29 Working Party recommendations warrant clarification. In the current legal framework, it is not clear, for example, under which circumstances a provider of cloud computing services may be classified as a “joint controller” of personal data. ENISA also recommends that the European Commission examine and clarify, inter alia:

-         whether providers of cloud computing services should be obliged to notify their customers of data security breaches (and what information should be provided to these customers);

-         the legal impact of data transfers to providers of cloud computing services in countries outside the European Economic Area (EEA), if those countries do not provide an “adequate” level of data protection;

-         how the intermediary liability exemptions arising from the eCommerce Directive apply to providers of cloud computing services.

As far as information security in concerned, ENISA’s paper provides useful and practical guidance for potential and existing users of cloud computing services as well as policy makers. It will be interesting to see to what extent its recommendations will result in concrete action by the European Commission and/or Article 29 Working Party.

• Email This
• Print

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print

The University of Denver Law Review today presented a Syposium on "Cyber Civil Rights: New Challenges for Civil Rights and Civil Liberties in Our Networked Age."  Hogan & Hartson partner (and privacy group co-chair) Christopher Wolf delivered remarks on "Accountability for Online Hate Speech: What Are The Lessons From 'Unmasking' Laws?” 

Chris observed that online anonymity and the privacy it shields can be used as a sword to injure the human dignity of others who are victimized by hate speech.  It also can be used to mislead and indoctrinate young people.

The Internet, in large part because of the shield of online anonymity, has become the medium through which hate groups plot and promote real-world violence, recruit and indoctrinate like-minded haters, mislead and distort information for those – like students – who innocently link to their content. There are, of course, notorious hate mongers who use their real identities and revel in the limelight.   But the vast majority of hate spewed online is done so anonymously. The Internet content of hate mongers – words, videos, music, and social network postings – serve to offend the human dignity of the intended victims, minorities and those who hate groups identify as “the other”.   

Chris went on point out the problem of cyberbullying and hate-filled comments appended to mainstream news articles online.  After reviewing the legal regimes used to "unmask" online copyright infringers, those who commit defamation online and KKK members while marching in groups, Chris acknolwedges the First Amendment limitations on legal regulation of anonymous speech online and proposes a self-regulatory regime by online companies to address hate speech online.  A copy of his full remarks can be found here. 

• Email This
• Print

The Gramm-Leach-Bliley Act ("GLBA") requires covered institutions to notify consumers of their information-sharing practices and inform them of their right to opt out of certain sharing practices.  For years, people have been complaining that the notices sent to consumers were dense and confusing.  Indeed, the Financial Services Regulatory Relief Act of 2006 amended GLBA to required that the financial regulatory agencies propose a succinct, comprehensible model form that would allow consumers to compare easily the privacy practices of different financial institutions, and one that would be easy to read.

Yesterday, after a lengthy drafting process, eight federal regulatory agencies (the Board of Governors of the Federal Reserve System; thr Commodity Futures Trading Commission; the Federal Deposit Insurance Corporation;  the Federal Trade Commission; the National Credit Union Administration; the Office of the Comptroller of the Currency; the Office of Thrift Supervision; and Securities and Exchange Commission) released a final model privacy notice form designed to make it easier for consumers to understand how financial institutions collect and share information about consumers.   The model form provides standardized language in easy-to-read form.

According to the FTC press release, "the agencies conducted extensive consumer research and testing in developing the model form issued today.  Then they solicited public comments and considered those comments in developing a model form that is easier for consumers to understand and use."

The final rule provides that a financial institution that chooses to use the model form obtains a “safe harbor” and will satisfy the disclosure requirements for notices.  Here is a link to the FTC announcement of the model form, which contains links to the form and the rule adopting it.

• Email This
• Print

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

• State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
• Require that government agencies and certain companies appoint a data protection officer;
• Increase notification obligations of data controllers before they process personal data;
• Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
• Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
• Facilitate data subjects' ability to request deletion of personal data; and
• Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

• Email This
• Print

A new white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation,  highlights the importance of building privacy into new "Smart Grid" technologies from the outset.  The paper is co-authored by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, Jules Polonetsky and Hogan’s Christopher Wolf.  Wolf and Polonetsky co-authored the paper in their capacity as co-chairs of the Washington-based Future of Privacy Forum.

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.”

The paper outlines Commissioner Dr.Ann Cavoukian’s SmartPrivacy concept and how it can be used to address the privacy concerns raised by the Smart Grid.   

• Email This
• Print

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

• Email This
• Print

On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today.

S. 1490, introduced by Sen. Patrick Leahy (D-Vt.), would preempt most state data security laws. The bill would mandate the implementation of a comprehensive data security program by all businesses maintaining personally identifiable information (PII) of 10,000 or more individuals not currently required to do so by certain federal laws (such as GLBA for those maintaining financial information and HIPAA for those maintaining health information). Covered businesses would be required to conduct an internal data security risk assessment, adopt controls to reasonably manage these risks and to detect security breaches, and conduct regular vulnerability testing and reassessment to ensure their program is appropriately managing risks.

The bill would also create a federal data breach notification requirement, preempting the variety of state laws that today cause compliance headaches among those that experience such a breach. The bill's provisions mirror most of the common themes of the state laws, including that breaches must be reported "without unreasonable delay" except as necessary for law enforcement or national security purposes, and that in addition to the affected individuals notification must be made to prominent media in all states in which the information of 5,000 or more individuals is reasonably believed to have been breached. Like some of  the state laws, the bill contains a "risk of harm" threshold, exempting notification in situations in which it is determined that there exists no significant risk that the breach will result in harm (with the approval of the Secret Service of this determination). The use of effective encryption, redaction, or other industry-standard controls would create a statutory presumption that no harm is likely to occur from a breach.

• Email This
• Print

The American Institute of Certified Public Accountants (AICPA) on Tuesday filed a lawsuit against the Federal Trade Commission (FTC) challenging the applicability of the agency's Red Flags Rule to Certified Public Accountants.  This comes on the heels of district court ruling in a lawsuit brought by the American Bar Association (ABA) reported here that the regulations do not apply to lawyers.

 We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said  AICPA President and CEO Barry Melancon. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.

The accountants' lawsuit  alleges primarily that the FTC lacks authority to regulate CPAs just as it lacks authority to regulate lawyers, both of whom are regulated by state authorities.  In addition, the lawsuit claims that the FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an "extension of credit" under the rule and that it failed to identify any legally supportable basis for applying the rule to accountants.   The FTC specifically referred to accountants as potentially covered entities in its FAQs concerning the rule published over the Summer.  In promulgating the rule, the AICPA alleges that the FTC never identified CPAs as potentially covered entities.

The Red Flags rule has been the source of significant controversy which,  in addition to the lawsuit by the American Bar Association, has resulted in repeated extensions of the FTC enforcement date.  Currently, the FTC is set to enorce the rule on June 1, 2010.

• Email This
• Print

As the 31st annual International Conference of Data Protection and Privacy Commissioners wraps up in Madrid, capped by the announcement that next year’s conference will occur in Jerusalem, to be hosted by the Israeli Information and Technology Authority, some reflections:

• Security vs. Privacy   There continues to be a tension between the need for security from terrorist and criminal attacks and the right to be free of excessive collection and retention of personal data by governments.  This was the focus of the remarks of the Spanish Minister of the Interior and the US Secretary of Homeland Security, and a panel of experts from around the world who concluded that there needs to be greater focus on the need for all of the information that is harvested from citizens.  The pre-conference session of The Public Voice organized by the Electronic Privacy Information Center resulted in a Madrid Declaration that warned that "privacy law and privacy institutions have failed to take full account of new surveillance practices."

• Corporate Accountability and New Privacy-Enhancing Technologies  Presentations by corporate representatives of Google, Microsoft, eBay, Yahoo!, Procter & Gamble, Accenture and others showed that corporate accountability for privacy (a concept advanced enthusiastically by our friend Marty Abrams of the Center for Information Policy Leadership) is guided not only by the need to be legally compliant but also by the recognition that in our information society, responsible data management will build consumer trust.  There was an impressive demonstration of various new technologies that provide greater transparency and more robust notice to individuals about the collection of data about them, and that give them greater control over the collection, use, transfer and retention of personal data.  For example, Google unveiled new privacy tools and Jules Polonetsky, my co-chair at the Future of Privacy Forum, illustrated the array of technologies available to protect the privacy of children.  The greater demonstration of such “self-regulation” through corporate accountability and the deployment of privacy-enhancing technology was recognized at the conference as an essential pillar of privacy protection. 

• US Law and Enforcement  In the panel on children’s privacy, John Avila of the Walt Disney Company, gave a compelling overview of the breadth and depth of US legal protections for privacy, which includes COPPA to protect kids, and which he pointed out focuses on the areas of greatest privacy concern (such as financial and health privacy).  There were also presentations on the robust enforcement of US privacy laws by the FTC and other authorities, and the innovations in regulation that include, for example, data security breach notification laws which serve as a model for new regulation in Europe.  My conversations with various EU Data Protection Commissioners indicated a growing respect for the US scheme of data protection, in stark contrast to the official EU position that the US lacks adequate protections for personal data which prohibit the cross-border transfer of data to the US absent special arrangements (such as Safe Harbor participation, model contracts or Binding Corporate Rules).

• Cloud Computing and the Smart Grid  There was a focus on the privacy issues implicated by new technologies such as the next generation of cloud computing and the Smart Grid.

• Cross-Border Harmonization of Regulation  Another important theme of the conference concerned cross-border harmonization of privacy regulation, even among countries in the EU that operate under the common principles of the EU Directive but whose laws often reflect differences in detail and application.  In that regard, the European Commission is in the process of soliciting views on the new challenges for personal data protection in order to maintain an effective and comprehensive legal framework to protect individual’s personal data within the EU. 

As with many such conferences, the value of the formal program was augmented by the opportunity of data protection regulators to meet informally with representatives of civil society, privacy advocates, privacy lawyers, and corporate privacy officials.  The interactions over lunch and dinner, and at the wonderful art galleries of Madrid (where tours were made part of the official agenda), allowed for the sharing of perspectives and ideas, and a recognition that no matter which sector is involved, those gathering in Madrid share the commitment to the protection of personal  privacy.

Next year in Jerusalem!
 

• Email This
• Print

Today at the 31st International Conference of Data Protection and Privacy in Madrid, US Secretary of Homeland Security spoke to those of us in attendance about her goal of a US-EU binding agreement on data sharing and privacy.  See this account from former Hogan & Hartson partner Mary Ellen Callahan, now Chief Privacy Officer at DHS, who accompanied Secretary Napolitano to Europe.

Following the ceremonial opening of the conference and addresses from senior government officials from Spain and the US, the delegates got down to work on granular issues of privacy and data protection.  Look for more reports as the meeting progresses.

• Email This
• Print

We have distributed a Hogan & Hartson Privacy Update on the FTC's October 5 revisions to its Guides Concerning the Use of Endorsements and Testimonials in Advertising, the first modifications to these key advertising guidelines since 1980.  While the Guides are advisory in nature, they reflect situations in which the FTC may exercise its prosecutorial discretion to enforce Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Key among the revisions is the guideline that bloggers and other Internet users who are compensated to endorse products must disclose this connection in their endorsement, and both the blogger and advertiser are responsible that factual claims about the product made by the blogger are substantiated.  Another key provision states that advertisers, when using an endorser whose experience does not reflect generally expected results when using the product, should issue a clear disclaimer communicating the generally expected results, departing from earlier enforcement policy that allowed advertisers to simply display a disclaimer stating that the endorser's results were not typical.  The FTC also added many examples to guide advertisers in their use of endorsers.

The update can be accessed here.

• Email This
• Print

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

• Email This
• Print

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

• Email This
• Print