Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: Consumer Privacy

Subscribe to Consumer Privacy RSS Feed
Posted in Consumer Privacy

FTC ALJ: Embarrassment/Emotional Harm and Risk of Harm Does Not Satisfy “Substantial Consumer Injury” Prong of Unfairness

On November 13, 2015, the Federal Trade Commission’s Chief Administrative Law Judge dismissed an FTC administrative complaint based on LabMD’s alleged failure to provide “reasonable and appropriate” security for personal information maintained on its computers. The ALJ concluded that the complaint counsel failed to prove that LabMD’s alleged practices constituted an unfair trade practice. Specifically, according to the ALJ’s initial decision, complaint counsel failed to prove by a preponderance of the evidence the first prong of the three-part unfairness test – that the alleged unreasonable conduct caused or is likely to cause substantial injury to consumers as required by Section 5(n) of the FTC Act. The case is notable for being the first data security case tried before an ALJ and only one of two instances where a company has fought the FTC’s decision to move forward with an enforcement action based on allegations that a company has engaged in unfair practices because of inadequate data security practices. Companies have otherwise voluntarily entered into consent decrees without admitting liability. In the other instance where a company did not capitulate to an FTC enforcement action, Wyndham moved to dismiss the FTC’s lawsuit against it in federal district court based on lack of jurisdiction. Wyndham lost in the district court and on an interlocutory appeal the federal court of appeals upheld that ruling, but remanded the case to district court for a trial on the merits which will assess whether Wyndham’s alleged unreasonable data security practices meet the unfairness factors in section 5(n) of the FTC Act. Accordingly, as the ALJ did here, the court in Wyndham will consider whether the practices and the data breaches there caused or were likely to cause substantial consumer injury under the first prong of an unfairness inquiry

Posted in Consumer Privacy

FCC Continues String of Data Security Cases, Settling with Cox for $595,000

On November 5, 2015, the Federal Communications Commission Enforcement Bureau announced a $595,000 settlement agreement with Cox Communications, Inc. to resolve an investigation into whether the company failed to properly protect its customers’ personal information when electronic data systems were breached in August 2014. According to the FCC, Cox exposed the personal information of numerous customers and failed to report the breaches through the Commission’s established breach-reporting portal.

Posted in Consumer Privacy, News & Events

Upcoming DC Program Explores Where We Are Headed with Section 5 of the FTC Act

Data privacy and security regulators don’t always agree. Take a look at the Federal Trade Commission for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk. On Thursday, November 5, 2015, the Future of Privacy Forum will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Draft Framework on the Internet of Things

The National Institute of Standards and Technology released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days.

Posted in Consumer Privacy, Privacy & Security Litigation

California Legislature Advances UAS Legislation

For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems, including, but not only, through privacy-related legislation.. In the 2014 session, one bill passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment. The bill is codified at California Civil Code section 1708.8. In the 2015 session, the California Legislature introduced five more bills, covering a range of issues.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Analysis of FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

On Monday, August 24, 2015, the U.S. Court of Appeals for the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commissionto oversee cybersecurity practices. The Wyndham case first made headlines in June 2012, when it became the first cybersecurity enforcement action to be litigated instead of being resolved by settlement. Wyndham Worldwide Corp. moved to dismiss the FTC’s claims that allegedly insufficient cybersecurity practices constituted unlawful “unfair” and “deceptive” business practices, arguing that the FTC’s unfairness authority did not extend to cybersecurity, and that the statements in its online privacy policy were not deceptive. Since that time, the case has been closely watched as the District Court for the District of New Jersey and the Third Circuit Court of Appeals considered the issue of whether the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.

Posted in Consumer Privacy

FTC Settlement Reinforces Lessons for Data Broker Industry

The FTC has brought a number of actions over the years against companies that shared or failed to protect consumer information in violation of privacy policy promises or transferred data in violation of specific laws, such as the Fair Credit Reporting Act. In what may be viewed as charting new territory, the FTC recently brought a second action against a data broker for selling payday loan application information to entities that were not engaged in making any kind of loans to consumers. Both sets of defendants purchased payday loan application information from online payday loan websites where consumers provided personal information, including financial institution account information, on the applications. The defendants purchased the application information from the websites and sold the information to third parties who did not make payday loans to consumers, but rather made unauthorized charges to consumers’ accounts. The Commission alleged that the selling of such sensitive information was unfair.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

FTC Issues Data Security Guidance and Announces Data Security Conferences

The Federal Trade Commission has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.

Posted in Consumer Privacy

French CNIL Enforces Cookie Consent

On June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies. After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Tackles Cybersecurity in the Smart City

After the recent release of the discussion draft of its Framework for Cyber-Physical Systems, the National Institute for Standards and Technology has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.

Posted in Consumer Privacy

FTC’s Latest Location-Tracking Settlement Reminds Companies to Mind Any Gap Between What They Say and What They Do

On April 23, the FTC accepted an administrative consent order with Nomi Technologies, Inc., which uses mobile device tracking technology to provide analytics services to retailers through its “Listen” service. At first blush, the action appears to involve a straightforward alleged misrepresentation in a privacy policy, but the two dissenting statements from Commissioner Wright and Commissioner Ohlhausen reveal more complex legal and policy issues. The settlement provides useful insights into how the current Chairwoman and Commissioners view deception cases on data privacy issues. It also affirms that a company’s public statements must be accurate, but suggests that voluntary promises relating to privacy should be made cautiously.

Posted in Consumer Privacy, Privacy & Security Litigation

Court Allows FTC to Move Forward in “Common Carrier” Exemption Case

Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.

Posted in Consumer Privacy, International/EU Privacy

Canada’s Anti-Spam Law: First CASL Enforcement Action Brings $1.1 Million Penalty

Earlier this month, the Canadian Radio-television and Telecommunications Commission’s Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation. Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.” Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law.

Posted in Consumer Privacy

U.S. FCC Decision Triggers Potential Sea Change in Broadband ISP Data Privacy and Security Requirements

In its recent Open Internet Order, the U.S. Federal Communications Commission determined that broadband Internet access services are appropriately classified as common carrier “telecommunications services” under the Telecommunications Act of 1996. In doing so, the agency established itself as the primary U.S. data privacy and security regulator for those services and triggered additional requirements under the Act. It also promised a future rulemaking that could result in a sea change in how ISPs and their business partners interact with consumer data. Although the decision is widely expected to be appealed in court, organizations operating across the broadband ecosystem would be prudent to assess the potential impact on their current and planned online service portfolio.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

IPTF Seeks Public Input on Key Cybersecurity Challenges Facing the Digital Economy

On March 16, the U.S. Commerce Department’s Internet Policy Task Force published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Discussion Draft on Cyber-Physical Systems Framework

This week, the National Institute of Standards and Technology released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.

Posted in Consumer Privacy

NTIA Launches Multistakeholder Process to Develop Privacy Best Practices for Commercial and Private Unmanned Aircraft Systems

On March 4, the U.S. Commerce Department’s National Telecommunications and Information Administration announced it is seeking comments on how to structure a new multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. NTIA also announced that it will likely hold its first multistakeholder meeting within 90 days.

Posted in Consumer Privacy

The Auto Industry Is Serious About Connected Car Privacy

An issue that has started to appear on the privacy agenda is privacy and the “connected car.” Automakers here in the United States have taken the lead on privacy, and have answers to many of the inevitable privacy questions. Late last year the major automakers voluntarily agreed to a set of privacy and data security principles that will regulate how automakers collect, use, and share information. No other industry in the “Internet of Things” ecosystem of which connected cars are a part has done as much or has gone as far as automakers. The automakers understand that without the trust of consumers, new technologies will not be as readily embraced. The Privacy Principles provide a strong basis for such trust.

Posted in Consumer Privacy

The Law of Securing Consumer Data on Networked Computers

The status of consumer data security law in the United States is at a crossroads. Last week, the White House released a discussion draft of its Consumer Privacy Bill of Rights Act of 2015, which would require businesses collecting personal information to maintain safeguards reasonably designed to ensure the security of that information. And yesterday, the Third Circuit held oral argument in FTC v. Wyndham Worldwide Corp., in which the district court last April denied Wyndham’s challenge to the Federal Trade Commission’s data security enforcement efforts.

Posted in Consumer Privacy, Employment Privacy, Privacy & Security Litigation

Insights on the Consumer Privacy Bill of Rights Act of 2015

On Friday, February 27, the White House released its promised draft privacy and data security legislation. The proposed Consumer Privacy Bill of Rights Act of 2015 contains few, if any, surprises and would codify the framework that the White House proposed in 2012, imposing privacy and data security requirements across sectors and industries. The proposal has drawn criticism from the Federal Trade Commission and privacy advocates for not containing enough consumer protections, and from the business community for a lack of clarity and the potential to stifle innovation and to create other unintended consequences. In this post, we summarize the Act and some of the ramifications if it were to be adopted in its current form.

Posted in Consumer Privacy

Hogan Lovells at IAPP Global Privacy Summit 2015!

Hogan Lovells’ leading Privacy and Information ‎Management practice will actively participate at this week’s IAPP Global Privacy Summit 2015. Enclosed is a listing of events in which our lawyers will be featured.

Posted in Consumer Privacy

Department of Education Issues “Model Terms of Service” and Other Guidance on Student Privacy Compliance

On February 26, the U.S. Department of Education issued guidance aimed at assisting schools and school districts when considering whether the use of online educational services and mobile applications complies with student privacy laws. The guidance consisted of two main components. First, the Department published a document entitled Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, which evaluates common privacy-related provisions in online Terms of Service and analyzes how they comply with student privacy requirements. Second, the Department produced a user-friendly, 10-minute training video directed to K-12 administrators, teachers, and staff about schools’ privacy obligations when using online educational services and applications. Finally, the guidance encourages school administrators to check the Student Privacy Pledge when considering whether to use online educational services in the classroom.