HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The FTC yesterday issued a staff report calling upon members of the mobile app ecosystem to provide better privacy notices to parents about mobile apps directed to children.  The report, titled "Mobile Apps for Kids: Privacy Disclosures are Disappointing," highlights the findings from an FTC survey of the mobile apps for children available in the Apple App Store and the Android Market. 

The FTC evaluated the types of apps offered to children, the disclosures provided to users in the app stores and on the app developers' websites, interactive features such as connectivity with social media, and the ratings and parental controls offered for the apps.  FTC Chairman Jon Leibowitz stated that "right now, it is almost impossible to figure out which apps collect what data and what they do with it," and said the children's app ecosystem must "wake up" and provide "easily accessible, basic information, so that parents can make informed decisions about the apps their kids use."

• Email This
• Print

Today the Federal Communications Commission unanimously adopted a Report and Order that imposes new restrictions on autodialed and prerecorded telemarketing calls.  Although the action is designed to harmonize the FCC's Telephone Consumer Protection Act (TCPA) rules with the Federal Trade Commission's Telemarketing Sales Rule (TSR), it affects more entities and a greater number of calls than the TSR.

• Email This
• Print

A draft bill circulated by Rep. Ed Markey (D-Mass) would require the Federal Trade Commission (FTC) to adopt regulations addressing monitoring software installed on mobile devices.  The bill stems from media reports last year regarding Carrier IQ's monitoring software, which is installed on millions of mobile devices.  If enacted, the Mobile Device Privacy Act would result in new obligations for wireless service providers, equipment manufacturers, device retailers, operating system providers, website operators, and other online service providers, underscoring both the number of industry segments involved and the complexity of addressing privacy concerns in todays mobile ecosystem.

• Email This
• Print

Sometimes Fourth Amendment cases (which by definition arise in a governmental context) have implications for consumer privacy law since the "reasonable expectation of privacy" analysis can be employed in both areas.  Yesterday's U.S. Supreme Court 9-0 ruling in United States v. Jones that the warrantless attachment of a GPS device to a car for monitoring purposes violated the Fourth Amendment offers little guidance in the consumer privacy context as the majority of the Court did not rely on an "expectation of privacy" analysis.  The Court's main opinion, written by Justice Scalia, focused on narrow issue of whether there was a trespass when the GPS device was attached to the suspect's car.  Concluding that a trespass occurred, the majority of the Court found that a warrant was required under the Fourth Amendment.  Justice Scalia delivered the opinion of the Court in which Chief Justice Roberts, and Justices Kennedy, Thomas and Sotomayor joined.  Justice Sotomayor wrote her own concurring opinion and Justice Alito filed an opinion concurring in the judgment in which Justices Ginsburg, Breyer and Kagan joined.     

The main opinion of the Court chose not to address the issue of whether the suspect had a reasonable expectation of privacy not to be monitored, which was another available avenue of analysis.  Justice Alito said: "I would analyze the question presented in this case by asking whether respondent's reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove."  And Justice Sotomayor in her concurrence illustrated how far the Court could have gone to address the "reasonable expectation of privacy"  issue:

[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation­ of privacy in information voluntarily disclosed to third parties. (citation omitted). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Gov­ernment of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constituttionally­ protected”).

Had the Court engaged in a "reasonable expectation of privacy" analysis, that could have had an impact on the use of tort and consumer protection law to pursue privacy claims.  One could imagine the FTC declaring "unfair" under Section 5 the kind of data use deemed to have violated a reasonable expectation of privacy under the Fourth Amendment.

• Email This
• Print

• Email This
• Print

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

• Email This
• Print

Hogan Lovells partner Daniel Brenner speculates on the impact of the July 2011 Memorandum of Understanding between major U.S. ISPs and content owners.   The Center for Copyright Information (CCI) will be responsible for administering the new gradu ated response system, and for defining privacy standards that right holders and ISPs must apply.  Will the mitigation measures promised by ISPs be effective in curbing copyright piracy?   Will the MOU's limitation to P2P exchanges limit the system's effectiveness?   Read the full story here.

• Email This
• Print

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) this afternoon announced a proposed consent decree with the prominent social network Facebook, settling allegations that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program.  The FTC also required Facebook to obtain independent privacy compliance assessments initially and on a bi-annual basis for the next 20 years.  Given the FTC's recent consent decrees with Google and Twitter and associated audit and record-keeping obligations, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

• Email This
• Print

The FTC today extended to December 23 the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information online from children under 13 under the Children’s Online Privacy Protection Act (“COPPA”). Back in September, we extensively summarized the FTC’s announcement of the proposed revisions, which contemplate several major changes to the existing COPPA regime including:

• clarifying that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
• a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information – all of which may impact companies’ behavioral advertising activities;
• streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
• changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
• enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
• changing the existing COPPA enforcement program to require “safe harbor programs” to exercise more oversight.

The previous deadline for the submission of comments was November 28.

• Email This
• Print

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

• Email This
• Print

The Federal Communications Commission (FCC) has released a Notice of Apparent Liability for Forfeiture (NAL) against Travel Club Marketing, Inc. (Travel Club) in the amount of $2.96 Million for apparent violations of the Telephone Consumer Protection Act (TCPA) and related FCC rules regarding the delivery of prerecorded messages, as well as its Caller ID rules.  This enforcement action serves as a reminder to companies placing autodialed calls or delivering prerecorded messages to ensure that such calls and messages comply with the TCPA and the FCC's rules.

• Email This
• Print

By Pablo Rivas and Marta Jaureguizar in our Madrid Office

On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft.  The AEPD fined the individual who had created a profile in a sexually-oriented social network using personal details of a third person, including that person's name, surname, phone number, and photo.  Notably, the AEPD did not  proceed against the online host of the impersonator's content.

The impersonation was found to be a processing of the impersonated individual's personal data without his/her consent, constituting an infringement of the Spanish Data Protection Act 15/1999, of 13 December 1999.  While online impersonation has been the subject of judicial actions in Spain, this was the first exercise of the regulator's authority under the data protection law. 

• Email This
• Print

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

• Email This
• Print

 Thanks to Steven Spagnolo for his substantial assistance in drafting this entry.

On October 3^rd, the Court of Appeals for the Ninth Circuit became the first appeals court to extend the protections of the Electronic Communications Privacy Act (“ECPA”) to non-U.S. citizens when it held in Suzlon Energy Ltd. v. Microsoft Corp. that the Stored Communications Act (“SCA”) provisions of the ECPA protect the confidentiality of all email communications stored in the United States, not just those of U.S. citizens.  This broadening of the jurisdictional scope of the ECPA and SCA is likely to result in increased data privacy protection for foreign citizens, at least with regard to email communications that are physically stored on servers located in the U.S. In addition, the expanded scope of the law may simplify the process by which electronic communications service providers respond to requests for stored communications, likely alleviating the need to engage in an assessment of the citizenship of the data subject whose communications are sought.  

• Email This
• Print

Representatives Terry (R-NE) and Towns (D-NY) have introduced legislation intended to modernize the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) and authorize additional calls to wireless telephone numbers.

• Email This
• Print

The U.S. District Court for the Northern District of California earlier this week dismissed  a purported privacy class action against Apple and a group of mobile ad networks, finding that the plaintiffs lacked standing.  The decision in In re iPhone Application Litigation (PDF) is the latest in a line of dismissals of such privacy lawsuits that have stalled due to plaintiffs’ failure to allege that they were damaged by the allegedly impermissible collection of personal  information. The court dismissed the lawsuit without prejudice, allowing plaintiffs to re-file their complaint if they can come up with articulable facts showing actual injury sufficient for standing, but the court also indicated serious problems with claims asserted by the plaintiffs even if they were able to establish standing.

• Email This
• Print

On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.

This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.

The proposed rule contemplates several major changes to the existing COPPA regime, which include:

• clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
• a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information -- all of which may impact companies’ behavioral advertising activities;
• streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
• changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
• enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
• changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

• Email This
• Print

UPDATE:  In the FTC's first case involving apps, the Commission today announced a COPPA settlement with W3 Innovations, a developer of mobile applications for Apple’s iPhone and iPod Touch, which will be required to pay a $50,000 penalty and delete illegally collected data.  The FTC said the app developers illegally collected and disclosed personal information from tens of thousands of children under age 13 without their parents’ prior consent:

In addition to collecting and maintaining children’s email addresses, the FTC alleges that the defendants also allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule, according to the FTC complaint.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose children’s personal information. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

According to the complaint, the defendants did not provide notice of their information- collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children. The FTC charged that those practices violated the COPPA Rule.

 Some say “PC’s may be going the way of the typewriter”  given the proliferation and growing reliance on tablets and mobile devices, which are handling more of the computing once done exclusively on personal computers. An article in today’s Wall Street Journal  explains:

[m]obile devices have [] helped disrupt the distribution and pricing of software. The "app store" model, pioneered by Apple and emulated by Google and others, has given tablet and smartphone users speedy access to programs that are frequently free or cost less than $5—undermining a model that grew up around stores selling disk-based PC programs that routinely cost $40 to more than $100

With apps come an array of privacy issues.  With software hosted locally, the privacy issues are circumscribed. The user knows who is getting his or her data and how it will be used.  In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy. A recent study by the Future of Privacy Forum, founded and co-chaired by Hogan Lovells’ privacy lead Chris Wolf, found that nearly three-quarters of the most -downloaded mobile apps lacked even a basic privacy policy.  In May, Sen. Al Franken (D-Minn.) sent a letter to the chief executives of Apple and Google asking that their companies require app makers to have clear, understandable privacy policies. 

In a New York Times article today entitled “Industry Tries to Streamline Privacy Policies for Mobile Users,” a new tool for app developers to create a mobile privacy policy is described as is an industry-led effort to provide an opt-out of targeted advertising based on the collection of user information.  On the issue of whether an app developer should spend money to develop a privacy policy to advise and empower consumers with respect to the collection and use of information from them, Hogan Lovells’ Chris Wolf is quoted:

The cost for a legal consultation, which can range from a couple of hundred dollars to thousands, can also be a deterrent for small app developers looking to create privacy policies. But Christopher Wolf, a partner at the Hogan Lovells law firm and a co-chairman of the Future of Privacy Forum, said app developers should not claim cost as an excuse.

“I think it’s a cop-out for app developers to say they don’t have the budget for it,” Mr. Wolf said. “It’s an investment for any business that deals in consumer data. They ought to build it into the development cost.”

“Privacy by Design,” which has been described as a growing global trend, at a minimum requires app developers to articulate what they are doing with personal data, e.g.  in privacy policies. A resource to assist app developers in building privacy into their apps is hosted in a new web site, www.applicationprivacy.org developed by the Future of Privacy Forum.  Also, the Privacy & Advocacy committee of the Mobile Marketing Association (MMA) is focused on outlining global best practices as they relate to protecting the consumer's private information.  The MMA is hosting a free webinar on September 22 in which Hogan Lovells’ Chris Wolf will participate, and described this way:

As mobile marketing continues to grow, the use of data for analysis and personalization has become increasingly important in successfully providing relevant services to users. Some of the uses of mobile data, such as location and device IDs have started drawing scrutiny by media, policymakers and advocates.

What are the issues that are creating concerns? How can you avoid the risks? What are the emerging best practices? What is the MMA doing? Join leaders of the MMA and the Future of Privacy Forum to learn how you can navigate the legal and policy challenges facing the mobile advertising ecosysytem.

Registration for the free MMA webinar is accessible here.

• Email This
• Print

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

• Email This
• Print

The Supreme Court on June 27 granted certiorari in a geolocation tracking case that could have implications for companies that incorporate location-tracking features into their products or that monitor the locations of their employees or assets. Specifically, the Court asked the parties to brief whether the government violated the defendant's Fourth Amendment rights by installing a Global Positioning System (GPS) tracking device on his vehicle without his warrant and without his consent.

• Email This
• Print

Emblematic of the increasing attention to children’s privacy, on July 12, 2011, the Federal Trade Commission (FTC) and the Department of Justice’s Office for Victims of Crime (OVC) are jointly hosting a day-long forum about child identity theft. The forum, entitled “Stolen Futures: A Forum on Child Identity Theft,” will discuss foster care and familial identity theft, which is a growing problem in these difficult economic times. Identity thieves often utilize their children’s or young relatives information to obtain credit cards and other credit and children’s sensitive personal information is also vulnerable to misuse for other reasons as well. This forum follows the FTC’s roundtable last year on its Children’s Online Privacy Protection Act (COPPA) rule. 

• Email This
• Print

On May 6, 2011, the California PUC (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security. The proposed decision is part of a longstanding proceeding we first discussed here. 

The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention. For example, as discussed in the Chronicle of Data Protection post on April 18, 2011, the European Union’s Article 29 Working Party issued smart meter guidelines last month.

• Email This
• Print

Quentin Archer in the Hogan Lovells London office prepared this entry.  

Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.

In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.

• Email This
• Print

Hogan Lovells Privacy and Information Management practice Leader Chris Wolf recently was interviewed by the Bureau of National Affairs (BNA) in a video on what companies should be doing as changes in privacy law get mulled at the FTC, in Congress and internationally. Chris observes that companies collecting, using, sharing and storing personal data should anticipate change, and should begin to provide greater transparency about data collection and use, greater consumer choice over such collection and use, practice data minimization and use specification, and be prepared for changes in the law whether they come legislatively or through regulatory enforcement.

BNA graciously has given us permission to provide access to the video for readers of the Hogan Lovells Chronicle of Data Protection. View the video below or access it here. 

• Email This
• Print

The long-awaited privacy bill from Senators Kerry and McCain was introduced today, and the Senators provided this summary, along with this press release.   The bill follows the call by the Obama Administration for a Privacy Bill of Rights.

Senator Kerry offered this overview on his web site:

On April 12, 2011, Senator Kerry and Senator McCain introduced a Commercial Privacy Bill of Rights to establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored, and distributed.  This legislation would go a long way to increasing consumer trust in the market and generating additional activity as a result as well as protecting people from unscrupulous actors in the market by creating a set of basic rights to which all Americans are entitled.

These privacy rights include:

• The right to security and accountability: Collectors of information must implement security measures to protect the information they collect and maintain.

• The right to notice, consent, access, and correction of information:  Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection.  Additionally, the collector must provide the ability for an individual to opt-out of any information collection that is unauthorized by the Act and provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information.  Respecting companies existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require robust and clear notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising.  It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.

• The right to data minimization, constraints on distribution, and data integrity: Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.  Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements.  The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.

Other key elements of the Kerry-McCain Commercial Privacy Bill of Rights include:

• Enforcement:  The bill would direct State Attorneys General and the Federal Trade Commission (FTC) to enforce the bill’s provisions, but not allow simultaneous enforcement by both a State Attorney General and the FTC.  Additionally, the bill would prevent private rights of action. 

• Voluntary Safe Harbor Programs:  The bill allows the FTC to approve nongovernmental organizations to oversee safe harbor programs that would be voluntary for participants to join, but would have to achieve protections as rigorous or more so as those enumerated in the bill.  The incentive for enrolling in a safe harbor program is that a participant could design or customize procedures for compliance and the ability to be exempt from some requirements of the bill.

• Role of Department of Commerce:  The Act directs the Department of Commerce to convene stakeholders for the development of applications for safe harbor programs to be submitted to the FTC.  It would also have a research component for privacy enhancement as well as improved information sharing. 

   

• Email This
• Print

On March 28, 2011, the U.S. District Court for the Northern District of California held, in Facebook, Inc. v. MAXBOUNTY, Inc., case no. CV-10-4712-JF, that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act. The court, in denying the defendant MAXBOUNTY’s motion to dismiss, rejected that CAN-SPAM applies only to traditional e-mail as it is commonly understood. The ruling is the most expansive judicial interpretation to date of the types of messages falling within the purview of the CAN-SPAM Act. The court did not reach or otherwise address the underlying merits of the CAN-SPAM claims.

• Email This
• Print

The Federal Trade Commission (“FTC”) today announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when Google launched its social network "Google Buzz". The vote of the Commission to accept the settlement was 5-0.

For the first time ever, the FTC is requiring a "Comprehensive Privacy Program" and affirmative consent to any new or additional uses of previously collected data.

In February 2010, Google rolled out Google Buzz, which was a social networking program integrated with many of Google’s services, including Gmail. In its complaint against Google, the FTC alleged that Google violated both Section 5 of the FTC Act and the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. The proposed consent order would impose significant requirements on Google privacy practices for the next twenty years, including a requirement that Google implement a comprehensive privacy program and undergo regular, independent privacy audits.

• Email This
• Print

As recently reported by the data  protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority's limitation on the scope of discovery involving documents with personal information.  The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity.

A German company was the subject of a non-party discovery request in a US civil action to produce company documents located in Germany.  The documents, including emails, were connected to the plaintiff and its business, as well as to the development and distribution of products of the German company. The German company itself was not a party to plaintiff's lawsuit. However, the German company belonged to the same group of companies as the defendant. The plaintiff claimed that the defendant and the German company had gained unauthorized access to business secrets of the plaintiff, and the discovery request was directed to this claim.   

• Email This
• Print

Update 3-24-11:  We have learned that Senator Kerry's office has circulated to selected parties a new version of the draft privacy bill amending the version that is the subject of this blog entry, but has not publicly shared it.  When it is distributed publicly, we will report on any changes.

At last week's Senate Commerce Committee hearing on privacy, Senator John Kerry (D-MA) announced that he will be introducing privacy legislation in this session of Congress.  A draft of the Kerry legislation, which also currently lists Senator John McCain (R-AZ) as a co-sponsor, has been circulating around Washington and was published yesterday by the BNA Electronic Commerce & Law Reporter.  We share a copy of the draft  "Commercial Privacy Bill of Rights Act of 2011" here.

The FTC is given privacy rulemaking authority for the first time in the draft law as well as the authority to approve (and enforce) industry-created Safe Harbor programs.  However, as detailed below, the proposed law would impose major and significant new obligations on businesses dealing with personal information.

Major provisions to note:

• Covered information includes "personally identifiable information(PII)" as well as "unique identifier information(UII)" and "any information collected in connection with PII or UII that may be used to identify an individual."  Geographical addresses of a physical place of residence are included within the scope of PII.   Email addresses would be included if individuals' names are part of them, but the draft brackets questions over whether that should mean first name or last name or legal name or maiden name or nickname or initials or names embedded with other letters or characters, as in Danny123@xyz.com.  Telephone numbers other than work numbers are included within the scope.  Credit card account numbers are within the scope.  Unique persistent identifiers, such as cookies, user IDs, processor serial numbers or device serial numbers "if used to identify a specific individual."  Biometric data such as fingerprints and retina scans are covered.  And, if used transferred or maintained in connection with the above, birth dates, birth certificate or adoption numbers and place of birth are covered, as is geolocation data and "any other information concerning an individual that may reasonably be used to identify that individual.  Sensitive personally identifiable information is defined in one short paragraph as PII "which if lost, compromised, or disclosed without authorization could result in harm to an individual."

• Email This
• Print

The Federal Trade Commission (FTC) yesterday announced a settlement with Chitika, Inc. over its failure to honor consumers’ choice in contravention of representations made in its online privacy policy. The announcement is notable in that it comes in the wake of the FTC’s December 2010 Preliminary Staff Report and is the FTC’s first consent settlement relating to privacy with an online advertising network. As disclosed in its website privacy policy, Chitika offered consumers the choice of opting-out of its online network advertising. However, Chitika did not disclose to consumers that the opt-out cookie would expire and disappear from their browsers only 10 days after being set. The FTC therefore believes Chitika’s actions were false and misleading, constituting deceptive trade practices in violation of Section 5 of the FTC Act.     

• Email This
• Print

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" -- which was defined broadly to include any business that accepts deferred payment for goods or services -- must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

• Email This
• Print

The U.S. Supreme Court today in FCC v. AT&T, Inc., reversed the U.S. Court of Appeals for the Third Circuit, holding that “personal privacy” under the Freedom of Information Act (“FOIA”) does not extend to corporations even though they are defined as “persons” under the statute. Chief Justice Roberts, writing for the Court, expressed his “trust that AT&T will not take [the decision] personally.” The decision was 8-0. (Justice Kagan did not participate.)

The Supreme Court’s analysis hinged on its conclusion that “person” and “personal” are two very different words and that the adjectival form of one word does not necessarily have the same or similar meaning as the underlying noun. Given the commonly understood meaning of the word personal and the term “personal privacy,” and given the context of FOIA and the provision at issue’s relationship to other FOIA sections, the Court concluded that personal privacy does not extend to corporations or other artificial entities. 

• Email This
• Print

Just as privacy remains front page news ("Web's Hot New Commodity: Privacy", Wall Street Journal, February 28, 2011), it remains a subject of bi-partisan interest on Capitol Hill. 

Congressional demands for information from companies following news stories about privacy now are routine. E.g. "Markey, Barton Ask Facebook About Plan to Enable Access to Addresses, Mobile Numbers" (February 2, 2011).

On the Senate side, Senator Patrick Leahy (D-VT) has created a first-ever Sub-Committee on Privacy, Technology and the Law within the Judiciary Committee and has appointed Senator Al Franken (D-MN) subcommittee chair. The committee's mandate includes

oversight of laws and policies governing

• the collection, protection, use, and dissemination of commercial information by the private sector, including online behavioral advertising;
• privacy within social networking websites and other online privacy issues;
• enforcement and implementation of commercial information privacy laws and policies;
• use of technology by the private sector to protect privacy, enhance transparency and encourage innovation; privacy standards for the collection, retention, use and dissemination of personally identifiable commercial information;
• and privacy implications of new or emerging technologies.

Senator John Kerry (D-MA) is expected to introduce a comprehensive privacy regulatory bill that may include FTC rulemaking authority with a specific mandate regarding opt-in and opt-out consent for the online collection of personal information. The legislation has been rumored for months, but has yet to be introduced, perhaps owing to the need for coordination between the two committees that now have jurisdiction over privacy issues in the Senate, the Commerce and Judiciary Committees. Commerce Committee Chair Sen. Jay Rockefeller (D-WV) has expressed a strong interest in seeing increased legal protections for privacy.

On the House side,  four major privacy bills have been introduced this year with more likely to come:

• Email This
• Print

USA Today and "The Last Watchdog" blog published a story today on the privacy implications of ubiquitous digital sensors, in which Hogan Lovells Privacy and Information Management practice Director Chris Wolf is quoted at length. Some excerpts:

Odds are you will be monitored today — many times over.

Surveillance cameras at airports, subways, banks and other public venues are not the only devices tracking you. Inexpensive, ever-watchful digital sensors are now ubiquitous.

Over the next couple of years, the volume of data generated by digital sensors will surpass the flow of e-mails and social-network entries combined, predicts Stephen Brobst, chief technical officer at data analytics firm Teradata. “Sensors will touch nearly every aspect of our lives,” he says.

Meanwhile, technology is rapidly being developed to efficiently mine this mushrooming trove of sensor data in novel ways.

Privacy worries

But before the blessings of pervasive monitoring can be fully realized, privacy concerns need to be addressed, says Chris Wolf, director of privacy and information management at global law firm Hogan Lovells.

“What’s new is the capacity for databases to share data and therefore to put together the pieces of a puzzle that can identify us in surprising ways — ways that really could be an invasion of privacy,” Wolf says.

Wolf, the privacy attorney, says the right to move through public places anonymously could be at risk. “We don’t have to tell everybody we pass on the street our name, phone number and address,” Wolf says.

Losing the right to anonymity, he says, could “really have a chilling effect on where we go, with whom we meet and how we live our lives.”

• Email This
• Print

Despite expressing sympathy for the plaintiff, who was bombarded with more than 1,000 unwanted e-mails advertising a pornographic website, the Ninth Circuit affirmed the dismissal of a “novel and creative” suit against a domain site registrar because it was erroneously premised on a third-party beneficiary theory.

In Balsam v. Tucows, Inc. a spam victim alleged that the defendant domain site registrar utilized a system to hide the identity of spammers, and that the plaintiff was an intended third-party beneficiary of the Registration Accreditation Agreement (“RAA”) between the defendant and the Internet Corporation for Assigned Names and Numbers (“ICANN”). The RAA permitted the defendant to sell domain name registrations to third parties, who thereby became registered name holders. The provision in question (¶ 3.7.7.3) provided as follows:

“A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm.”

The plaintiff alleged that he attempted without success to learn from the defendant the true identity of the website operator sending the unwanted e-mails, but that the defendant refused to reveal that information because it afforded anonymity to the spammer pursuant to a “privacy feature” that allowed website operators to remove their identity information from the ICANN database. The plaintiff sued as an alleged third-party beneficiary of the RAA between ICANN and the defendant, on the theory that the defendant (the nominal registered name holder) was required to accept liability for harm caused by the spammer’s wrongful use of the pornographic website.

The District Court had dismissed the plaintiff’s claims, agreeing with the defendant’s challenge to the plaintiff’s status as an intended third-party beneficiary. The Ninth Circuit affirmed, finding that the contract provision in the IRAA did not support a claim that the parties to the RAA (ICANN and the defendant) intended to benefit or confer any rights upon third parties such as the plaintiff. The Ninth Circuit was persuaded that ¶ 3.7.7.3 of the RAA did not trump another provision in the agreement which expressly stated that the RAA was not to be construed to create any obligation to any non-parties. The court also found fault with the plaintiff’s argument that ¶ 3.7.7.3 of the RAA created liability on the part of the defendant for its actions as a registered name holder, since the defendant had entered into the RAA not as a registered name holder but as a registrar of domain names. The Ninth Circuit noted that there is “no simple remedy for the vast number of unsolicited emails . . . that fill our electronic inboxes daily,” and that spammers “continue to find new ways to advertise.”
 

• Email This
• Print

In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great.  In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users' terminals to track behavior.  Why should network operators be held to a different standard than advertising networks at the edge of the network? 

Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out?  In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice.  The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users' consent.  For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place

One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic.  Users brought a class action for illegal interceptions and invasion of privacy.  On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator's use of NebuAd monitoring technology.  The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose."  It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator's website.

• Email This
• Print

The FTC Privacy Report and Department of Commerce Green Paper raise important questions on commercial use of information about people.  The Commission staff outlines privacy protections businesses will be expected to provide as collection technologies advance, and the Commerce paper proposes new laws and a new federal privacy office. 

In addition to our initial impressions about the FTC Report and DOC Green Paper, we release here a Privacy and Information Management Alert that provides an in-depth analysis including:

• Development of the proposed framework;
• Description and analysis of proposed framework; and
• Concepts advanced by the report;

You can access the full Privacy and Information Management Alert here.

On December 1st, the FTC issued a preliminary staff report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers."  Following the FTC report, on December 16th, the Department of Commerce  issued a "green paper" detailing initial  policy recommendations for online privacy in the U.S.

• Email This
• Print

Preserving consumer privacy online and thereby bolstering consumer trust in the Internet is essential for businesses to succeed online according to the just-released Department of Commerce Green Paper entitled “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  

The Green Paper was authored by the Internet Policy Task Force at Commerce – a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology. The paper follows a Notice of Inquiry to which many stakeholders responded, and a symposium last May. It also follows the December 1st release of the preliminary FTC Staff Report on Privacy.

• Email This
• Print

On December 7, the Federal Trade Commission (FTC) released an Advance Notice of Proposed Rulemaking (ANPR) seeking comment on how to address telemarketing practices designed to circumvent existing Caller ID rules, and how to make Caller ID a more useful tool for screening unwanted calls. 

The FTC’s Telemarketing Sales Rule (TSR) currently requires telemarketers to provide consumers who use Caller ID services with either the telemarketer’s telephone number or the number of the seller or charitable organization represented by the telemarketer. These rules are designed to encourage accountability and enable the FTC and law enforcement agencies to identify improper telemarketing practices (e.g., calling numbers from the Do Not Call registry). The FTC has initiated numerous enforcement actions in recent years, charging telemarketers with concealing their identities from consumers by using advanced technologies to block, “spoof,” or manipulate the names and numbers that appear on Caller ID. 

The ANPR seeks comments on a number of Caller ID issues, including:

• How widespread is consumer use of Caller ID services?
• Do consumers use other services, such as call-blocking equipment, to avoid unwanted calls?
• Would changes to the TSR improve the ability of Caller ID or other services to disclose the source of telemarketing calls or otherwise block calls?
• Should the Caller ID provisions recognize or anticipate certain developments in telecommunications technologies related to the transmission and use of Caller ID information? 
• Should the Caller ID provisions specify the characteristics of the phone number that a telemarketer must transmit to a Caller ID service? For example, the FTC could require that the phone number transmitted be one that is listed in publicly available phone directories, be one with an area code and prefix that are associated with the physical location of the telemarketer’s place of business, be one that is answered by a live representative, or be such that an automated service can identify the telemarketer by name.
• Should the Caller ID provisions allow the use of trade names or product names (instead of the actual name of the seller or telemarketer) in Caller ID displays?
• Should the FTC further harmonize its Caller ID provisions with the regulations promulgated by the FCC pursuant to the Telephone Consumer Protection Act? 

Comments on the ANPR are due on or before January 28, 2011.

(A special thanks to Aaron George for his assistance in preparing this entry.)

• Email This
• Print

Just a day before releasing its long-awaited draft privacy report, the FTC foreshadowed some of its findings relating to requirement of transparency in privacy notices.  It did so by entering into a consent agreement with EchoMetrix for inadequately disclosing that data collected using parental web-monitoring software would be included in a database sold to marketers. This settlement reinforces the FTC’s position, established last year in its settlement with Sears, that notices to consumers relating to material privacy practices cannot be “buried” in privacy policies, terms of use, or license agreements.

• Email This
• Print

The Bureau of National Affairs (BNA) Privacy Law Watch published the following report on yesterday's FTC Privacy Report, featuring observations by Hogan Lovells Privacy and Information Practice Leader Chris Wolf, which we reproduce here, with permission of BNA:

Privacy

FTC Proposes Industry-Led ‘Do-Not-Track'
Mechanism in Long-Awaited Privacy Report

The Federal Trade Commission Dec. 1 published its long-awaited report on consumer privacy policy, a document that featured a call on industry to adopt a proposed set of self-regulatory best practices as well as several general policy recommendations for federal lawmakers to consider.

Notably, the FTC did not call for federal legislation or for additional regulatory powers to enforce industry compliance with whatever self-regulatory measures are eventually adopted.

Internet privacy policymaking is challenging for a number of reasons, the regulators said. Consumer expectations surrounding online privacy differ widely; the harms are often noneconomic and difficult to quantify; and technology changes rapidly, the report noted.

• Email This
• Print

The FTC today released a long-awaited Staff Report (though in preliminary form) that examines the status of privacy law and enforcement by the agency and proposes a framework for greater  consumer privacy protections in the products and services developed by businesses.   The Report, which follows a series of public roundtable discussions on privacy held by the FTC over the past year, is comprehensive in identifying many pressing privacy issues.

• Email This
• Print

On November 17th, just six weeks before the Red Flags Rule is slated for FTC enforcement, a bipartisan bill (H.R. 6420) seeking to limit the scope of the Red Flags Rule was introduced. The bill, entitled the “Red Flag Program Clarification Act of 2010,” seeks to amend the definition of “creditor” under the Fair Credit Reporting Act and, hopefully, finally put to rest the scope of coverage issue that has been the source of great controversy.

The law establishing the Red Flags Rule was passed in January 2008, with a scheduled effective date of November 1, 2008.  For financial institutions, the Rule is operative, but due to confusion and concerns over the scope of the rule – over what entities qualify as covered “creditors” -- the FTC has delayed enforcement five times. The current date for FTC enforcement to commence is December 31, 2010.  In announcing the most recent enforcement delay, the FTC stated that it was delaying enforcement of the Rule while “Congress considers legislation that would affect the scope of entities covered by the Rule.”  

The Red Flags Rule aims to prevent identity theft by ensuring that entities are aware of possible signs of identity theft. The Rule requires “financial institutions” and “creditors” who maintain “covered accounts” to develop written identity theft prevention programs. Under the current Rule, a “creditor” is broadly defined as any person or entity that (a) regularly extends, renews, or continues credit; (b) regularly arranges for the extension, renewal, or continuation of credit; or (c) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit for a covered account. The broad definition of “creditor” adopted under the Rule encompasses a wide variety of organizations, including many health care entities, law firms, and accountants.

H.R. 6420 seeks to narrow the scope of the Rule by exempting from the definition of “creditor” a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition of “creditor” would also include any other creditors deemed (through rulemaking) by their appropriate regulating authority to offer or maintain “accounts that are subject to a reasonably foreseeable risk of identity theft.’’

The new legislation comes while the FTC’s application of the Rule is facing several challenges in federal court from organizations such as the American Bar Association (ABA), American Medical Association and the American Institute of Certified Public Accountants. Most recently, on November 15, 2010, the U.S. Court of Appeals for the D.C. Circuit heard oral arguments regarding the ABA’s challenge to the FTC’s application of the Rule to attorneys.

• Email This
• Print

The article below (reprinted with permission) from Telecom Reports Daily is based on the reporter's review of a copy of the draft Privacy Green Paper from the Department of Commerce, now under review at the White House. 

Notably, the article reports:

• The Department of Commerce document is expected to be released in the coming weeks.
• In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.
• The report [says] that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs)."  
• It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.
• As for other congressional action, the report [says] that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways."
  
   

DRAFT COMMERCE REPORT RECOMMENDS
ONLINE PRIVACY OFFICE, LEGISLATION

A draft Commerce Department report that is being reviewed by the White House recommends the creation of a privacy policy office and passage of legislation that establishes “a baseline privacy framework.”  In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.

TRDaily has obtained a copy of the 54-page draft document, “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  It is the work of Commerce’s Internet Policy Task Force, which has held more than six months of consultations, issued a notice of inquiry in April (TRDaily, April 21), and held a symposium in May (TRDaily, May 7).  The document is expected to be released in the coming weeks.  The task force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.

“As the Internet evolves, the Obama administration is committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth.  These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online,” said a Commerce Department spokeswoman, declining to discuss specifics of the report.  “In the coming weeks, the Commerce Department will issue a report that contains policy recommendations and seeks further input, with the aim of advancing both the domestic and global dialogue and contributing to an eventual administration-wide position on information privacy policy.”  The report is currently being reviewed by the White House Office of Management and Budget, according to a source.

Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy (TRDaily, Oct. 25).  It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.

The report said that comments submitted in response to the NOI “demonstrated a compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners - all without compromising the current framework’s ability to accommodate new technologies.”

However, broadband industry providers commenting on the NOI told the department last summer that online privacy protections should be pursued through self-regulation, industry standards, and best practices, rather than through regulation and legislation (TRDaily, June 16).  Public interest groups, however, saw a role for government mandates, along with other approaches advocated by industry.

The report said that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs).  Widespread adoption of comprehensive FIPPs is essential to achieving the goals we have set for the Dynamic Privacy Policy Framework.  Widespread adoption of FIPPs would protect privacy interests in data that currently receive little or no statutory privacy protection.  Also, given the flexibility inherent in the individual principles, a FIPPs baseline would help ensure consumer privacy protection as new technologies emerge.  Finally, the FIPPs-based framework that we envision would allow companies to direct resources to the principles that matter most for protecting privacy in a particular technological, business, or social context.  Legislation would authoritatively establish a FIPPs-based framework, but action by industry, civil society, the Executive Branch, and enforcement agencies can also help this framework take hold.”  It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.

As for other congressional action, the report said that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways.  The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities.”

And while it called for “baseline” privacy legislation, the report said that such a measure “should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections.”

In addition, the document said that “[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment.”  Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.

The report also called on the Obama administration to “review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services.  The goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe.”

Regarding the privacy policy office (PPO), the task force said it could either be housed within Commerce or in the Executive Office of the President.  The office would not have enforcement authority, it said. “The PPO would help guide industry-specific, multi-stakeholder undertakings in developing data privacy policies that respond to identifiable technological or business developments,” it said.  “A PPO-facilitated process would provide a way for stakeholders who are examining innovative new uses of personal information to better understand changing consumer expectations-and identify privacy risks-early in the lifecycle of new products or services.  As both a convener of diverse stakeholders and a center of Executive Branch privacy policy expertise, the PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct.  Voluntary principles developed through this process would be enforceable by the Federal Trade Commission and would serve as a safe harbor for companies facing complaints about their privacy practices.”

In an Oct. 27 speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling also stressed that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies.  A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”

The report also recommended an emphasis on FIPPs that focus on “enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.”  It also said any legislation establishing “general FIPPs-based data privacy protection should include a safe harbor provision for companies that adhere to voluntary, enforceable codes of conduct.”  It also said that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but it sought questions on whether the FTC should be given additional rulemaking authority if voluntary enforceable codes are not established.

The report also recognized the importance of collaboration with stakeholders from other countries.  It recommended continued work by U.S. officials “toward increased cooperation among privacy enforcement authorities around the world,” that includes “a framework for mutual recognition of other countries’ privacy frameworks.”- Paul Kirby, paul.kirby@wolterskluwer.com
 

• Email This
• Print

The New York Times published a piece today with the headline "Stage Set for Showdown on Online Privacy," suggesting that the Department of Commerce and the Federal Trade Commission appear to be at odds over how to advance privacy in the United States.  It is true that the privacy community is awaiting two separate reports, the Commerce "Green Paper"  following a Notice of Inquiry on privacy and the FTC's Staff Report following the three privacy Roundtables, and no one knows exactly what the contents will be.  But for those of us following the situation here in DC, the Times piece suggesting conflict is at odds with other signals from Commerce and the FTC. 

Recall that David Vladeck recently previewed the major themes of the upcoming FTC Report at an IAPP gathering and said, on the issue of regulation vs. self-regulation, that the Commission has always supported self-regulation.   With respect to privacy and online advertising, he said  "I am disappointed in the progress of self-regulation". "Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  He concluded that the Commission and the public may lose its patience with self-regulation if there is not better progress.   

Assistant Secretary of Commerce Larry Strickling addressed the global privacy commissioners conference in Jerusalem recently

First is the importance of trust.  It is imperative for the sustainability and continued growth of the Internet that we preserve the trust of all actors. For example, if users do not trust that their personal information is safe on the Internet, they will worry about using new services. If content providers do not trust that their content will be protected, they will threaten to stop putting it online.

Our approach, which we call Internet Policy 3.0, recognizes that the interplay among technical standards and design, multi-stakeholder institutions, voluntary best practices, and laws and regulations can ensure that the Internet continues to meet its economic and social potential. 

 The framework I have in mind would build on current successes with voluntary codes but provide a more accountable, institutional structure for the future.  (emphasis supplied)

The proffered approaches of the FTC and the Department of Commerce in the previews presented by the respective agencies' top officials seem remarkably similar.  The notion that the Obama Administration would stage a "showdown" with the FTC, whose leadership it appointed, seems far fetched.  But time will tell.

• Email This
• Print

 The FTC unveiled an extremely useful web site with compliance tools:

The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces.

The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics.  A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information.

A new video encourages businesses to use and share the free resources in the Business Center to enhance compliance and build their customers’ trust.  Companies can use the compliance tips in their newsletters and blogs, share the resources with their social and professional networks, use the videos for in-house trainings or presentations, and order free materials to hand out at conferences or community events.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad.

With respect to privacy compliance in particular, there are sections on   

• Behavioral Advertising

• Children's Online Privacy

• Credit Reports

• Data Security

• Gramm-Leach-Bliley Act

• Health Privacy

• Red Flags Rule

And included are

• Case Highlights (76)
• Reports and Workshops (58)
• Laws, Rules, and Guides (30)
• Compliance Documents (79)

Kudos to the FTC for such a useful resource.

• Email This
• Print

Update:  According to the Washington Post, "A key Republican lawmaker indicated Wednesday [November 3] that Internet privacy could be a legislative priority in the next Congress, as a growing number of data breaches draw increased attention from federal regulators.  Rep. Joe L. Barton (Tex.), ranking GOP member of the House Energy and Commerce Committee, signaled the legislative push in a statement about his correspondence with Facebook executives on privacy issues.  "I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done," Barton said"

Privacy was not on the ballot yesterday, but the results may affect the prospects for privacy legislation in the new Congress.

The big news is that Congressman Rick Boucher, a respected Virginia Democrat who has served for nearly 19 years, was defeated by Morgan Griffith, a Virginia state legislator. Boucher, along with Congressman Rick Stearns (R-FL) circulated a draft comprehensive privacy bill earlier this year and promised to introduce it after harmonizing it with the bill introduced by Congressman Bobby Rush (D-IL). The election result means that Boucher no longer will chair the House Communications, Technology and the Internet Subcommittee. He may be succeeded by Stearns, who presumably would still favor privacy legislation and make it a subcommittee priority. 

Stearns said earlier this week 

I have worked on developing privacy legislation from the time I was Chairman of the Commerce, Trade & Consumer Protection Subcommittee from 2001 to 2006 and I am still working on it. 

He also is reported to have said that he does not support all the provisions of the Boucher bill and "would like to see a bill" that is less prescriptive and "allows innovation to continue to flourish."

Whether his Republican colleagues now in the majority share his zeal for greater privacy regulation following an election whose theme was less government intervention remains to be seen. Moreover, Stearns also may prefer a leadership role on another committee, leaving the privacy legislation orphaned in the subcommittee. Candidates to lead the opposition on the Communications, Technology and the Internet Subcommittee include Rep. Anna Eshoo (D-CA) whose district includes Google headquarters and Rep. Ed Markey (D-MA). Markey has been vigilant on privacy issues.

A glimpse into the privacy views of presumptive Speaker of the House John Boehner is his lawsuit under the Electronic Communications Privacy Act (ECPA) arising out of the interception and recording of a cell phone conference call Boehner had with Republican leaders concerning an ethics investigation into conduct of Newt Gingrich,  and the fact that he voted yes on retroactive immunity for telecoms' warrantless surveillance.

Whether privacy becomes a priority for the new Republican leadership is an open question, and will likely be driven by events and the headlines.

New to the US Senate is Connecticut Attorney General Richard Blumenthal, well-known for his aggressive investigations and settlements related to privacy issues. Blumenthal led the thirty-state investigation of Google concerning the company’s collection of user information while mapping out U.S. areas for Street View, and indicated despite the FTC conclusion of its investigation into the episode that his office’s investigation would continue. Blumethal also brought the first data breach enforcement action under the HITECH Act against Health Net earlier this year.  It is fair to expect Blumenthal’s focus on privacy to continue once he is sworn in.

Despite the fear that the new political landscape in Washington means nothing but gridlock, some believe that privacy is one of the few issues that “will get done”.

• Email This
• Print

At its recent annual meeting, the Society of Professional Journalists (SPJ) unanimously adopted a resolution calling for revision of the Family Educational Rights and Privacy Act (FERPA).  According to a report by the Student Press Law Center, SPJ Freedom of Information Committee Chairman Dave Cuillier said

[T]he need for a resolution on student privacy came about several years ago when the Columbus Dispatch did an investigation on abuse of the Family Educational Rights and Privacy Act. Since that time, many journalists continue to have access problems.  We want to make sure this issue stays alive because this is a huge problem.

The Resolution in its entirety appears here:

• Email This
• Print

From a guest blog by Hogan Lovells Privacy and Information Management leader Christopher Wolf on The Last Watchdog

Whose job is it to protect the privacy of personal information? That is the burning question in Washington these days.

Privacy is receiving so much attention right now not just because of headlines about Facebook and Google and their privacy missteps, but because we live in a time when people are sharing volumes of information about themselves and others on social networks, and when technology that can collect, share, analyze and store information about people is advancing at a staggering pace.

Think geo-tracking, behavioral-targeted advertising, and sensors collecting data about us connected to the Internet.

So who should be protecting our privacy? Some say that the government should finally pass a comprehensive privacy law that strictly regulates the collection and use of data.

Others say that companies using personal data have a responsibility to protect privacy, but should not be shackled by one-size-fits-all laws and regulations, lest economic progress on the Internet – one of the few bright spots in the economy – be stifled.

And then there are those who say people should be smart enough to protect themselves by being careful about what information they share online.

So who is right? They all are right.

Read more

• Email This
• Print

The FTC has entered into a proposed settlement with a company that promised a consumer the ability to choose what information would appear when others searched for that person in the company's online service, but failed to provide the promised control.  The proposed settlement  announced by the FTC followed an investigation of US Search, a data broker that promised consumers that if they paid $10 for its "PrivacyLock" service, it would "lock their records" by excluding their information from search results.  Instead, according to the FTC's complaint, PrivacyLock did not block consumers' names from showing up as an associate of someone else in a search for the other person's name; did not block consumers' information from appearing in a "reverse search" of their phone number or address, or in a search of their address in real estate records; did not work if the consumer changed addresses; and did not work if the consumer had multiple records (e.g., "John Smith" and "John T. Smith").  The consent decree, which is part of the proposed settlement, subject to a regulatory comment period, prohibits US Search from continuing to market any products claiming to ensure consumer privacy in such a manner and requires it to refund customers who paid for Privacy Lock.

This enforcement action comes on the heels of the FTC's Feburary settlement with ControlScan, another company that promoted a privacy-enhancing service but failed to live up to its promises.  In that case, ControlScan purported to certify the privacy and data security practices of its clients' websites but failed to adequately verify those websites' actual privacy and security protections and displayed a certification date that did not reflect the actual date of its most recent security review.  And last October, the FTC brought enforcement actions against six companies over misrepresentations that they were current with their certifications under the U.S.-EU Safe Harbor program, a privacy compliance program that provides assurance to European organizations that U.S. businesses to which they transfer personal data will treat that data in accordance with European privacy standards.

The FTC's activity in this area demonstrates the importance it places on promises of privacy and security by companies that directly sell and market privacy and security protections.  Privacy enhancing services are obviously a good thing.  But profiting from consumers' willingness to pay for  protections by selling them knowingly or negligently false guarantees will trigger enforcement actions.  Therefore, companies developing privacy certifications and technologies should take care to evaluate their marketing materials and to constantly evaluate their services to ensure that they do not fall short in their promises to consumers.

• Email This
• Print

Maneesha Mithal from the FTC Division of Privacy and Identity Protection spoke today at the Online Trust Alliance Forum in Washington, DC and provided some insights into the forthcoming FTC Report on Privacy, following the three recent Roundtables conducted by the Commission.  She cautioned that the Commissioners had not yet reviewed and approved the Report, and that it may change, but said the following:

There are five fundamental findings about privacy today that will be included in the Report:

1. There is increased collection, storage and use of data.
2. Consumers are largely unaware of the use of data, especially the practices of the data broker industry and behavioral advertising.  Notice and choice has been a disaster.
3. Consumers really do care about privacy. 
4. Innovation in the Internet economy is important, and free content that is provided through the collection of information also is important.
5. There is a blurring of the distinction between personally identifiable information and non-personally identifiable information.

1. Privacy by Design, that includes privacy reviews, must be a part of all technology development that involves personal information
2. There is a need to improve consumer choice, with just in time notices of collection practices
3. There is a need for Improved transparency, even with just in time disclosures.  Privacy notices will remain, but must improve (see e.g.  the new GLB privacy notices sanctioned by the FTC)

Ms. Mithal summarized by saying "Our whole Report is about consumer control."

In some circles, it was expected that the FTC Report might be released before the 32d Annual Conference of Privacy and Data Protection Commissioners in Jerusalem at the end of October, but that now does not seem likely given the review process at the Commission. 

So we now have a glimpse of what to expect, but stay tuned.

• Email This
• Print

In this interview with Forbes, I share some perspectives on

(1) the prospects for an online privacy bill passing this year;

(2) some of the issues raised by the Rush privacy bill currently pending in Congress;

(3) the efficacy of FTC enforcement;

(4) the problems with the concept of a "Do Not Track" list, which has been proposed; and

(5) the need for reform of the Electronic Communications Privacy Act.

• Email This
• Print

The Platform for Privacy Preferences Project, or P3P, involves browser technology that allows a user to set privacy conditions and state what personal information may be seen by websites.     Websites usuing P3P are supposed to respect the user's settings.  Heralded as a privacy enhancing technology when the World Wide Web Consortium recommended it in 2002, adoption of the automated tool, it has never caught on and the vast majority of consumers don't use it.

Nevertheless, a just-released study by Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald and Robert McGuire of the Carnegie Mellon Cy Lab has concluded that large numbers of websites are misrepresenting their P3P privacy practices, "thus misleading users and rendering privacy protection tools ineffective."  From the Abstract:

"Platform for Privacy Preferences (P3P) compact policies (CPs) are a collection of three-character and four-character tokens that summarize a website's privacy policy pertaining to cookies. User agents, including Microsoft's Internet Explorer (IE) web browser, use CPs to evaluate websites' data collection practices and allow, reject, or modify cookies based on sites' privacy practices. CPs can provide a technical means to enforce users' privacy preferences if CPs accurately reflect websites' practices. Through automated analysis we can identify CPs that are erroneous due to syntax errors or semantic conflicts. We collected CPs from 33,139 websites and detected errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites. Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it's default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

Just as a recent University of California-Berkeley study about flash cookies and privacy prompted a series of lawsuits recently against Quantcast and Clearspring and users of their technology, there is speculation that the Carnegie Mellon study may inspire new lawsuits and investigations.  The websites using P3P compact policies are not without their defenses however, so it remains to be seen whether the study serves as a sturdy "platform for plaintiffs' preferences."

• Email This
• Print

In an opinion piece appearing in today's Wall Street Journal, available here, Eric Felten describes an ongoing case in which a tort claim seeks to escape the limitation of liability language contained in an End User License Agreement (EULA):

A federal judge in Hawaii ruled last month that a man claiming to be addicted to a videogame can sue the game's maker for gross negligence in not warning him he could become a joystick junkie. Craig Smallwood alleges in his lawsuit that, as a result of playing the online game "Lineage II," he has "suffered extreme and serious emotional distress and depression, and has been unable to function independently in usual daily activities such as getting up, getting dressed, bathing, or communicating with family and friends."

Felten continues:

Silly as the suit may be, it isn't without legal ramifications. Steven Roosa, a lawyer doing research at Princeton's Center for Information Technology Policy, sounded almost giddy this week at the prospect that a court might chip away at the enforceability of End User License Agreements, or EULAs. These software license agreements often radically limit how, and for how much, customers can sue if they feel harmed by an electronic product.

Mr. Roosa cheered on his blog that the judge in Hawaii has opened an avenue for escaping the tyranny of these one-click, liability-limiting contracts. He called the judge's refusal to throw the case out in its entirety a "stunning defeat" not only for the maker of Lineage II, but for the whole business of locking customers into contracts that consist of miles of electronic fine print that hardly anyone ever reads.

Felten observes in his Journal article that "[n]o doubt we do live in a time of kudzu legalese, with weedy contractual tendrils crawling into every electronic transaction. It's alarming to think about everything we sign off on these days, with endless demands to click "I agree" as the non-negotiable price of entry into our electronic worlds. Alarming, because few of us ever peruse the legal documents to which we so regularly and glibly affix our electronic signatures."

Last April, the British retailer Gamestation set out to prove the point by including in its boilerplate some Mephistophelean contractual language: "By placing an order via this Web site," read the clause, "you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul." In just one day, some 7,500 customers "agreed" to hand over their souls for a mess of virtual pottage. (emphasis supplied)

In the context of privacy policies, two weeks ago I was a panelist at the Privacy, Identity and Innovation 2010 conference in Seattle in the session "Competing on Privacy: Trade-offs, Transparency and Trust."  At the session, I observed  that privacy policies often are dense because companies need to protect themselves, but that alongside the legalese of the privacy policies can be layered notices with simple declarative sentences and even videos of people explaining in plain English how personal information is collected and used.

A blogger in the Seattle audience yelled out at me for admitting that I draft lengthy privacy policies, and I tried to get this concept across, explained in today's Journal article:

The proliferation of annoying and obnoxious license agreements has been driven, primarily, not by companies' desire to abuse their customers, but by a need to keep their rather more litigious customers from abusing them (and the legal system). As Jonathan Zittrain, who teaches both law and computer science at Harvard, puts it, "EULAs are, for most companies, a shield not a sword."

(I did not admit nor do I mean to suggest that the policies I draft are "annoying and obnoxious," just lengthy.)

So it is a given that legal notices almost inevitably will be complex but supplemental, simplified notices, even video notices, alongside the legalese will better inform consumers.  And it should thwart tort claims where a plaintiff claims "I had no idea this could be the result of my interaction with the web site."

• Email This
• Print

The Economist magazine is hosting an online debate on whether governments should do more to protect online privacy.  The series can be found here.  Marc Rotenberg, President and Executive Director of Electronic Privacy Information Center (EPIC) is squaring off against Jim Harper, Director of Information Policy Studies at the Cato Institute.  Today, Jules Polonetsky, Co-Chair and Director of the Future of Privacy Forum (the privacy think tank that I founded and co-chair with Jules) made this contribution to the debate:

• Email This
• Print

Two national newspapers today included items on targeted advertising, a further indication that online tracking remains a hot topic.  In an article on the front page of the New York Times entitled  "Retargeting Ads Follow Surfers to Other Sites"  the reporters note that "[b]ehavioral targeting has been hotly debated in Washington, and lawmakers are considering various proposals to regulate it."

People have grown accustomed to being tracked online and shown ads for categories of products they have shown interest in, be it tennis or bank loans.

Increasingly, however, the ads tailored to them are for specific products that they have perused online. While the technique, which the ad industry calls personalized retargeting or remarketing, is not new, it is becoming more pervasive as companies like Google and Microsoft have entered the field. And retargeting has reached a level of precision that is leaving consumers with the palpable feeling that they are being watched as they roam the virtual aisles of online stores.

The article quoted an Advertising Age writer who said “If the industry is truly worried about a federally mandated ‘do not track’ list akin to ‘do not call’ for the Internet, they’re not really showing it.”   The Interactive Advertising Bureau (IAB), comprised of more than 460 media and technology companies responsible for selling 86% of online advertising in the United States. disputes that they are not addressing the privacy issues associated with online tracking and targeting, as indicated  here.

A Wall Street Journal opinion piece by Emory University Economics Professor Paul Rubin paints a very different picture from the New York Times article.  The piece is entitled "Ten Fallacies About Web Privacy" and in summary form, here is Professor Rubin's list of privacy fallacies with excerpts of why he thinks the propositions are false. 

1) Privacy is free...  The more privacy consumers have, the less information is available for use in the economy. Since information helps markets work better, the cost of privacy is less efficient markets...

2) If there are costs of privacy, they are borne by companies... [C]onsumers get tremendous benefits from the use of information [and bear a cost from regulations designed to protect their privacy]...

3) If consumers have less control over information, then firms must gain and consumers must lose...  [W]hen information is used for other purposes—for example, in credit rating—then the cost of credit for all consumers will decrease...

4) Information use is "all or nothing." ... [S]ervices will be lower-quality and less valuable to consumers as information use is more restricted...

5) If consumers have less privacy, then someone will know things about them that they may want to keep secret....  [W]e are not used to the concept that something can be known and at the same time no person knows it. But this is true of much online information...

6) Information can be used for price discrimination (differential pricing), which will harm consumers.  [If] price discrimination makes it possible for firms to provide goods and services that would otherwise not be available (which is common for virtual goods and services such as software, including cell phone apps) then consumers unambiguously benefit...

7) If consumers knew how information about them was being used, they would be irate.  [C]onsumers don't bother to learn about information use on the Web precisely because there is no harm from the way it is used...

8) Increasing privacy leads to greater safety and less risk. The opposite is true....  Think of being called by a credit-card provider and asked a series of questions when using your card in an unfamiliar location, such as on a vacation...

9) Restricting the use of information (such as by mandating consumer "opt-in") will benefit consumers. In fact, since the use of information is generally benign and valuable, policies that lead to less information being used are generally harmful...

 10) Targeted advertising leads people to buy stuff they don't want or need. This belief is inconsistent with the basis of a market economy... 

Clearly, when Congress returns from its recess and the privacy advocacy community returns from vacation, and as the FTC prepares its long-awaited report following a series of privacy roundtables earlier this year, debate over online tracking, self-regulation and the need vel non of government regulation will heat up.

• Email This
• Print

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

• Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
• Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
• Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
• Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
• Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
• Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
• Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
• Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
• Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
• Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
• Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

• Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
• The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
• Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

• Email This
• Print

• Email This
• Print

The Federal Communications Commission (FCC) issued a Public Notice seeking comment on a Petition for Expedited Clarification and Declaratory Ruling (Petition) filed by Global Tel*Link Corporation (Global Tel) regarding its outbound calling practices.  The Petition raises several key issues under the Telephone Consumer Protection Act (TCPA) and related FCC rules, including whether certain calls (e.g., non-telemarketing calls) should be exempt from some of the TCPA’s restrictions on the use of prerecorded messages and autodialers.  Given the broad applicability of the TCPA and the FCC’s rules, this new proceeding could affect any company that places calls using prerecorded messages or autodialers.

The TCPA and the FCC’s rules prohibit, among other things, the use of automatic telephone dialing systems (“autodialers”) or artificial or prerecorded messages when calling, inter alia, telephone numbers assigned to wireless services, absent an emergency or the “prior express consent” of the called party.  Of note, the restriction against placing these calls to mobile phones without prior express consent applies regardless of whether the call is a “telemarketing” call.  The TCPA and the FCC’s rules also make it unlawful to place a non-emergency telephone call to a residential line “using an artificial or prerecorded voice” without the recipient’s “prior express consent” (although there are some exceptions).   

As described in the Petition, Global Tel provides outbound calling services for prison inmates.  For certain outbound calls (e.g., some calls from inmates to mobile phone numbers), Global Tel sets up a billing arrangement with the called party before connecting the called party to the inmate.  For example, when the inmate places a call, Global Tel initiates an “automated interactive voice response notification” to:

• inform the called party that an inmate is trying to make contact;
• get consent for the call; and
• establish the billing arrangement. 

Global Tel then puts the call through. 

Concerned that these inmate calls could expose the company to liability under the TCPA and the FCC’s rules, Global Tel has asked the FCC to exempt the calls from TCPA enforcement.  For example, Global Tel argues that the calls to landline phones serve no commercial purpose, are not an unsolicited advertisement, and include an opt-out mechanism so that called parties can avoid future calls.  Regarding calls to mobile telephone numbers, Global Tel argues, among other things, that it can be presumed that the inmate has dialed a cell phone number because that is the number at which the called party wishes to be reached.  Moreover, the called party may have only a wireless phone (and not a landline phone).  Separately, Global Tel argues that its calls do not involve the use of an autodialer or predictive dialer.

Although the Petition is focused on Global Tel’s situation, the FCC’s decision in this proceeding could affect many companies that rely on the use of prerecorded messages or autodialers as part of their communications strategy.  Nonetheless, the FCC has established a very short comment period for this item – comments will be due just 15 days after the item appears in the Federal Register, and replies are due 25 days after the item appears in the Federal Register.

• Email This
• Print

By Eric Bukstein

As energy companies across the country are gearing up to start providing electrical service through “Smart Grids,” California is one of the first jurisdictions to begin creating a regulatory framework for the operation of a Smart Grid.  On May 21, 2010, the California Public Utilities Commission (“CPUC”) issued a proposed decision, authored by Commissioner Nancy Ryan, providing California energy companies with details on what information must be included in any Smart Grid deployment plans submitted to the CPUC by a July 1, 2011 deadline.  The CPUC currently is taking comments on the decision, which will be considered and finalized by the entire commission.  While the proposed decision addresses some privacy and data security issues, the CPUC stated that further proceedings will focus more specifically on information access and privacy protections.

Smart Grids provide for a two-way flow of information and electricity, allowing both customers and utilities more control over energy consumption and costs, increasing the reliability of the energy grid, and allowing for a more efficient delivery of energy.  Utilities’ use of smart grids raises privacy concerns because of the possibility of linking personal information to granular details about energy use.  For an excellent background on Smart Grids and the privacy issues they present, see the white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, co-authored by Hogan Lovells partner, Christopher Wolf.

CPUC’s proceeding started after the California legislature passed a law in September of 2009 requiring the CPUC “to determine the requirements for a Smart Grid deployment plan” by July 1, 2010.  This decision was the result of a year of proceedings in which the CPUC received comments from stakeholders as to how to best implement this law and move toward the deployment of a Smart Grid. 

The CPUC’s proposed decision addresses many issues beyond privacy, laying down an outline, by way of eight topics which need to be addressed, for a utility company’s Smart Grid deployment plan.  The CPUC specifically added Grid Security and Cyber Security Strategy to a list of topics, which were initially suggested by utility companies, that should be addressed in each utility company’s deployment plans.  The full list of categories is as follows:

1.      Smart Grid Vision Statement;

2.      Deployment Baseline;

3.      Smart Grid Strategy;

4.      Grid Security and Cyber Security Strategy;

5.      Smart Grid Roadmap;

6.      Cost Estimates;

7.      Benefits Estimates; and

8.      Metrics.

Regarding privacy and data security, the proposed decision asks utility companies to assess these issues in two areas.  First, as part of a privacy impact assessment to be included in a baseline report (item 2 above), which analyzes current practices, the utility company must address the following questions:

• What data is the utility now collecting?
• For what purpose is the data being collected?
• With whom will the utility currently share the data?
• How long will the utility currently keep the data?
• What confidence does the utility have that the data will [sic] is accurate and reliable enough for the purposes for which the data is used?
• How does the utility protect the data against loss or misuse?
• How do individuals have access to the data about themselves?
• What audit, oversight and enforcement mechanism does the utility have in place to ensure that the utility is following their own rules?

Second, in a section of the proposed decision devoted to information security, the CPUC requires a utility company to describe “security strategies” that “address physical, cyber and human threats for grid operations with implementation of Smart Grid technologies.”  Each Smart Grid deployment plan needs to discuss how it will incorporate National Institute of Standards and Technology (“NIST”) requirements and guidelines into the security program of the utility.  The CPUC declined to adopt specific Smart Grid security standards at this time, but recommends that utility companies consult documents, prepared by NIST and the Department of Homeland Security, for guidance when preparing security plans.  The CPUC also directed that each deployment plan should contain a systematic risk assessment, including a “security audit based on industry best practices.”  This assessment should address:

"The prevention of, preparation for, protection against, mitigation of, response to, and recovery from security threats for the utilities’ advanced meter and communications infrastructure, distribution grid management, and distribution grid management with implementation of other Smart Grid technologies and infrastructure, including all major subsystems and utility storage of customer information."

Additionally, the CPUC orders that each deployment plan discuss the following questions:

·        What types of information about customers are or will be collected via the smart meters, and what are the purposes of the information collection?  Could the information collection be minimized without diminishing the specified purposes?

·        Does the utility have or expect to have other types of devices, such as programmable communicating thermostats (PCTs), which can collect information about customers?  If so, what types of information is collected, and what are the purposes of the information collection?  Could the information collection be minimized without interfering with the specified purposes?

·        What types of information, if any, does the utility plan to collect from the smart meter and HAN gateway?

·        How frequently will the utility take readings from the smart meter?  Is this frequency subject to change?  Will customers control this frequency?

·        For each type of information identified above, for what purposes will the information be used?  The purposes should be articulated with specificity, e.g., “targeted marketing” instead of “promoting energy efficiency.”

·        For each type of information collected, for how long will the information be retained, and what is the purpose of the retention?  Could the retention period be shortened without diminishing the specified purpose?

·        What measures are or will be employed by the utility to protect the security of customer information?

·        Has the utility audited or will it audit its security and privacy practices, both internally and by independent outside entities?  If so, how often will there be audits?  What are the audit results to date, if any?

• Email This
• Print

Thanks to Eric Bukstein in the Hogan Lovells privacy group for providing this report.

On May 3, 2010, in Arista Records v. Doe 3, a Second Circuit panel issued an opinion finding that an Internet user’s right to remain anonymous is not sufficient to prevent an ISP from revealing his identity in a copyright infringement dispute. The court held that a record label may subpoena information about Internet users connected to IP addresses if there is sufficient evidence that the IP addresses had been used to illegally share music. 

• Email This
• Print

On May 4, Representatives Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) of the House Subcommittee on Communications, Technology, and the Internet published a discussion draft of long-anticipated privacy legislation that would restrict companies’ online collection and use of personal information and online activity, including use for the purpose of targeted online advertising.  Here are some observations about the draft bill, in its current form:

• The bill would require any company that collects “covered information” from or about individuals to obtain opt-in consent to a statutorily mandated privacy policy containing at least fifteen enumerated disclosures.  Consent would be deemed adequate if the user expressly opted in to the information collection after being presented with the required disclosures, or in most circumstances if the user “does not decline consent at the time such statement is presented."  This would seem to imply that web sites would need to ensure that privacy policies appear on users’ screens at some point, to either expressly opt in or to fail to “decline consent” when the statement is presented to the user.  At the same time, however, the bill permits privacy policies to be “accessible through a direct link from the Internet homepage of the web site.”  It is unclear, then, whether the bill would consider the existence of such a link to be sufficient to infer that a user “does not decline consent” when merely accessing a web site, which would otherwise obviate the need to obtain opt-in consent.
• In a few specific circumstances, the bill would permit the use of web site user information for the purposes of marketing, advertising, or selling only with express opt-in consent.  This includes (1) when the web site wishes to disclose the information to unaffiliated third parties, such as advertisement networks, unless certain requirements are met (see the next bullet); (2) when the web site collects or discloses any “sensitive information,” which is defined as medical records or history, race, ethnicity, religious beliefs, sexual orientation, financial records or other information associated with a financial account, or geolocation information; or (3) when the web site collects or discloses “all or substantially all of an individual’s online activity.”
• Nevertheless, the bill would provide an exception permitting a web site to share user information with unaffiliated third parties for the purposes of marketing, advertising, or selling without express opt-in consent if it:  (1) provides users with a “readily accessible” opt-out mechanism; (2) deletes or renders anonymous any “covered information” within 18 months after it is first collected; (3) allows users to review and modify, or completely opt out of having, any profiles maintained about their preferences by web sites or their advertisement network partners for marketing purposes (these so-called “preference profiles” must be accessible through a hyperlinked “symbol or seal” on the web site and on or near any advertisement served based on the profile); and (4) prohibits advertisement networks from further disclosing any such information they receive.  This would seem to almost directly endorse the use of the online behavioral privacy icon put forth by groups supporting industry self-regulation of behavioral advertising.
• The term “covered information” would include a number of individual data elements – such as name, e-mail address, and Social Security number – that might otherwise be considered personally identifiable information under other statutory or regulatory regimes (at least in combination with other data elements).  In addition to the novel development of regulating the collection of these data elements individually, the bill includes in its definition of covered information:
  
  "Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user."
  
   Adopting this definition would be significant because no American privacy law has ever considered an anonymous identifier or IP address to be legally protected information (though IP addresses are considered to be personally identifiable in the EU and FTC Chairman Jon Leibowitz commented just a couple weeks ago that he believes that IP addresses should be considered personal information).  Additionally, this definition means that the bill would apply to any web site that maintains and uses information about users keyed to a unique identifier, which means that it applies to just about every web site that collects user registration information.

Click "Continue Reading..." for more

• Email This
• Print

The Federal Communications Commission released its long-awaited National Broadband Plan today, providing an aggressive roadmap for advancing affordable broadband deployment and adoption; stimulating economic growth; and boosting the nation's capabilities in education, healthcare, homeland security, and other areas.  The Plan also appears to confirm that the FCC is looking to take an expanded role in privacy-related consumer protection issues.

In the Plan, the FCC discusses a number of broadband privacy and data security issues focused on the protection of and consumer control over personal information.  For example, the FCC states 

 

[t]he collection, aggregation and analysis of personal information are common threads among, and enablers of, many application-related innovations...

and the Plan notes the value of services such as customized suggestions for movie rentals or books and more targeted and relevant advertising.  It cautions, however

many users are increasingly concerned about their lack of control over sensitive personal data.

The FCC then remarks:  

Innovation will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.  Policies therefore must reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their “digital identity.”  Ensuring customer control of personal data and digital profiles can help address privacy concerns and foster innovation.

The FCC also makes several broadband privacy and data security recommendations in the Plan, including:

• Encouraging Congress and the Federal Trade Commission (as well as the FCC) to clarify the relationship between users and their online profiles, including disclosure and consent requirements and data collection, sharing, storage, safeguarding, and accountability responsibilities;

• Suggesting that Congress consider helping spur the development of trusted "identity providers" that can help consumers maximize the privacy and security of their data;

• Having the FTC and FCC jointly develop principles to require that customers provide informed consent before broadband service providers share certain information with third parties (including account and usage information and other personally identifiable information); and

• Prompting the federal government to put additional resources into combating identity theft and fraud and enhancing consumer online security.

In addition, the Plan includes several privacy and data security recommendations in the smart grid and cybersecurity areas, including a recommendation that states require utilities to "provide consumers access to, and control of, their own digital energy information, including real-time information from smart meters and historical consumption, price and bill data over the Internet."  If states fail to do so within 18 months, the Plan recommends that Congress consider national legislation.

• Email This
• Print

The fifth edition of Hogan & Hartson’s Media & Communications Briefing, whose editor-in-chief is Hogan Partner Winston Maxwell , has arrived!  (Winston also is a member of the privacy and data security practice group.) This quarterly briefing updates our clients on legal and regulatory developments from around in the world in the Telecommunications, Media and Entertainment and High Technology sectors.  This edition features stories (bolded below) of particular privacy interest. 

The briefing includes articles on the following topics:

• New Commission, New Framework
• The Digital Dividend Auction in Germany
• Bloggers Beware: The FTC is Watching
• EU Reform Brings New Cookie Rules
• U.S. Universal Service Reform: Is 2010 the Year?
• Online Music Retailing: Towards Borderless Business
• French Government Releases Decree on Motion Picture Tax Credit
• Smart Grids
• Interview: French Copyright Law
• Digital Switchover
• Middle East International Film Festival and the Circle Conference

For a copy of the briefing, click here

• Email This
• Print

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print

A new white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation,  highlights the importance of building privacy into new "Smart Grid" technologies from the outset.  The paper is co-authored by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian, Jules Polonetsky and Hogan’s Christopher Wolf.  Wolf and Polonetsky co-authored the paper in their capacity as co-chairs of the Washington-based Future of Privacy Forum.

“The information collected on a Smart Grid will form a library of personal information, the mishandling of which could be highly invasive of consumer privacy,” said Christopher Wolf. “There will be major concerns if consumer-focused principles of transparency and control are not treated as essential design principles, from beginning to end.”

“The smart grid will provide benefits for the economy and the environment and could mean savings for individual consumers,” said Jules Polonetsky. “But the success of the grid will be completely dependent on consumers trusting that their data is being handled responsibly. If companies do not get privacy right from the start, billions will have been spent in vain.”

The paper outlines Commissioner Dr.Ann Cavoukian’s SmartPrivacy concept and how it can be used to address the privacy concerns raised by the Smart Grid.   

• Email This
• Print

We have distributed a Hogan & Hartson Privacy Update on the FTC's October 5 revisions to its Guides Concerning the Use of Endorsements and Testimonials in Advertising, the first modifications to these key advertising guidelines since 1980.  While the Guides are advisory in nature, they reflect situations in which the FTC may exercise its prosecutorial discretion to enforce Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

Key among the revisions is the guideline that bloggers and other Internet users who are compensated to endorse products must disclose this connection in their endorsement, and both the blogger and advertiser are responsible that factual claims about the product made by the blogger are substantiated.  Another key provision states that advertisers, when using an endorser whose experience does not reflect generally expected results when using the product, should issue a clear disclaimer communicating the generally expected results, departing from earlier enforcement policy that allowed advertisers to simply display a disclaimer stating that the endorser's results were not typical.  The FTC also added many examples to guide advertisers in their use of endorsers.

The update can be accessed here.

• Email This
• Print

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

• Email This
• Print

In Ethics Opinion 2009-1, Vermont has taken its place in line behind several other states that have found that a lawyer who produces electronic documents has a duty of reasonable care to avoid disclosing confidential metadata.  This is a straightforward approach that translates easily to a lawyer’s everyday practice.

The same cannot be said of the lawyer on the receiving end of the electronic document production.  The Vermont Bar Association found that:

"to insert an obligation into the Vermont Rules of Professional Conduct that would prohibit a lawyer from thoroughly reviewing documents provided by opposing counsel, using whatever tools are available to the lawyer to conduct this review.”  

Vermont’s ethics rules also mandate that the receiving lawyer must notify the producing party “if he knows or reasonably should know that the document was inadvertently sent.”

Okay, fine. But how would this work in practice?  Metadata is in a special class of data/documents because it often reveals corrections, deletions, comments, etc. that reveal attorney-client communications or attorney work product.  If the receiving party does not have the consent of the producing party to review metadata but is permitted to do so any way, doesn’t the Vermont rule amount to an invitation (if not an obligation) to mine for privileged data and then speak up later?  Vermont’s substantive state law may limit how or whether such data may be used, but still, isn’t this an unreasonable intrusion into the attorney-client relationship? 

Other states’ (e.g., Arizona, Florida, New Hampshire) ethics rules disincentive such mischief by prohibiting a lawyer receiving electronic communications from examining it for the purpose of discovering embedded metadata absent special circumstances (consent, accident).  Isn’t this bright-line rule more consistent with a lawyer’s ethical obligations of honesty and forthrightness?

• Email This
• Print

I was honored to be invited to speak at the IBM IT Services Legal Summit today in New York City on the topic of ethics and privacy.  As a launching pad for my discussion of privacy ethics, I used the episode from earlier in the year involving Justice Scalia and Fordham University Professor Joel Reidenberg whose privacy law class created a "digital dossier" on the Justice and his famiiy, using publicly available online information.

It seems unlikely that there are workable ethical guidelines to restrict access to and use of publicly available information on the Internet.  If information is on the Internet, searchable through Google, it is unlikely society can set new norms to restrict access. 

[P]ending a societal change in the ethics of what we do with information we can access online, what can be done?

Well, one place to start is at the input side of things. Before people reveal information about themselves or allow data to be collected about them, since it appears to be fair game once it is collected, what is the ethical duty to put people on notice on the collection side? 

I said that the duty, in which privacy lawyers play an important role, is to provide clear, easy-to-access notice to consumers before data is collected, referencing the recent Sears case at the FTC and the ongoing debate abut behavioral advertising.

A copy of my prepared remarks is available here. 

• Email This
• Print

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print

In the United States, regulators and policy makers are taking a close look at the issues surrounding behavioral advertising and how to protect the privacy of consumers.  A vigorous debate is occurring over self-regulation versus the asserted need for legislation or regulation.  So it is interesting to see what is going on in Europe in the realm of self-regulation. 

In the EU, a privacy and data protection certification seal for IT products and IT-based services is in place, called the EuroPrise Privacy Seal.  The EuroPrise Privacy Seal recently was awarded to a new German behavioral targeting system called Predictive Targeting Networking (PTN) 2.0 and offered by a company called Nugg.ad.  The Nugg.ad system addresses many of the privacy issues that regulators here and abroad have focused on, such as cookie expiration dates, logging of IP addresses, the notice given to consumers, and opt out.  

For more details, see this blog entry from the Future of Privacy Forum.  

• Email This
• Print

As recently reported in the New York Times and elsewhere, two prominent professors conducted a survey of American's feelings about online tracking for the delivery of tailored advertising.

The report on the survey shows that Americans have very strong feelings about tailored advertising and takes issue with the policy arguments in favor of the consumer value of online customization based on past user activity.  However, the authors suggest steps forward for industry based on “respect” and “information reciprocity”.

The Future of Privacy Forum will be hosting the authors of the study, Professors Chris Hoofnagle and  Joseph Turow, for a teleconference with Q&A on Tuesday, October 6th at Noon ET.

Readers of our blog are invited to participate.  To request call-in information, please email Heidi@futureofprivacy.org
 

• Email This
• Print

The Department of Homeland Security (DHS) has released new directives regarding government searches of electronic and digital devices at the U.S. border, including computers, disks, drives, tapes, mobile phones, cameras, and music and other media players.   The directives consist of guidelines for the U.S. Immigration and Customs Enforcement (ICE), dated August 18, and for the U.S. Customs and Border Patrol (CBP), dated August 20, and modify policies issued by CBP and ICE in July of 2008 under President Bush.   In addition, DHS released a Privacy Impact Assessment regarding these directives "to enhance public understanding of the authorities, policies, procedures, and privacy controls elated to these searches."

• Email This
• Print

Many people remember the now-dated cartoon from the New Yorker magazine showing two dogs sitting in front of a computer, with one observing to the other "the best part about the Internet is that no one knows you are a dog".  Even today, many people feel they enjoy complete privacy when interacting online, especially with certain social media sites.  But times have changed from when anonymity meant there were no obvious consequences to online conduct.  The proliferation of the use of social media is much in the news, and the legal issues also are proliferating.

Hogan & Hartson has just authored an advisory, available by clicking here, setting forth the considerations that arise when social media is used by three different groups — an entity itself, the employees of that entity, and third parties in reference to the entity. We discuss the benefits of social media, as well as issues and risks, from each of these three angles.

Also, the U.S. Food and Drug Administration recently announced that it will hold a two-day public hearing in November on how pharmaceutical companies use the web and social-media tools to market their products.  This is the first step in a process that will establish guidelines for drug makers using the tools of social networking.  The Hogan & Hartson advisory on this development is available by clicking here.

• Email This
• Print

When the State of Maine enjoyed a reputation as a bellwether for presidential elections, this expression was in common parlance:

As Maine goes, so goes the nation?

A host of businesses and colleges are hoping that old adage has no relevance when it comes to new laws to protect kids online.  Maine's  “Act To Prevent Predatory Marketing Practices Against Minors,” effective September 12, 2009, was the source of major controversy and litigation over the Summer because of the law's extreme overbreadth.  See, e.g.  "Child-Proofing Your Ads: New Maine Law restricts Marketing to Minors", National Law Journal (August 4, 2009)   

A lawsuit brought to enjoin the law from going into effect resulted in the plaintiffs and Maine's Attorney General agreeing that the law could violate the First Amendment to the United States Constitution because of its overbreadth.  U.S. District Judge John A. Woodcock dismissed the lawsuit without prejudice, observing that "[t]he Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications ... and accordingly has committed not to enforce it.”  The Order goes on to say any private suits brought under the law “could suffer from the same constitutional infirmities.”   Thus, most observers believe that businesses run little risk from non-compliance with the law in light of the Judge's observations even though they are dicta.

Even the sponsor of  the law now recognizes that it has problems, but according to press reports blames that on the fact that no one raised any issues during the public hearings on the legislation leading to the law. The law is expected to be revised when the Maine legislature reconvenes in January 2010.

It was over the course of the Summer when Maine’s leaders came to recognize that the hastily-passed law, although bearing a laudable pro-kids/anti-predation title, may not have been exactly what they thought it was. The closer look prompted serious second thoughts and the lawsuit that effectively stays enforcement of the law.

• To start with, the Maine law goes well beyond predatory practices because it covers all marketing to people under 18 in Maine, whether you know they are under 18 or not. And it greatly exceeds the scope of the federal Children’s Online Privacy Protection Act of 1998  (“COPPA”). 
  • On a national level, COPPA requires web site operators to obtain verifiable parental consent before collecting personal information online from children.  While COPPA applies to children under13 years old, the Maine law includes anyone under age18 and makes no distinction between information collection online or offline – it all is covered whether the business has a commercial web site or not. And unlike COPPA, which does not provide for a private cause of action, the Maine law allows individuals to bring civil suits and to seek punitive damages, equitable relief and attorney costs.
• Section 9552 of the Maine law prohibits knowingly collecting orreceiving "health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent." It also prohibits selling, offering to sell or otherwise transferring to another "health-related information or personal information about a minor."
• Section 9553 flatly prohibits using health-related or personal information about a minor for "marketing a product or service to that minor or promoting any course of action for the minor relating to a product." There is no parental consent exception.   So, while businesses may be able to collect, receive and sell a minor's information, as long the is verifiable parental consent, they may not use that information for marketing regardless of parental consent prior to collecting the data.

Like many state privacy laws, the coverage of the law extends to those wherever located who collect information from state residents.  Thus, businesses nationwide are covered. And those businesses appear to be prohibited from sending to those under 18 in Maine any marketing information, even materials requested by Maine kinds like college information and volunteer service brochures. No provision is made in the law for non-profit or educational institutions.  And, again, notably, the law does not require knowledge that the person to whom marketing information is sent is under 18, making compliance even more difficult.

At web sites where kids have signed up legally, the sites are banned from communicating with those people if there is a marketing message, even where there is a bona fide request for information.  

And so, businesses of all types would have a hard time figuring out how to exclude Maine’s minors from their marketing efforts without thwarting their legal right to send information to people in the 49 other states, DC and the territories.  That is why the lawsuit seeking an injunction against the law going into effect was brought.  The judge's order avoided an injunction against the State but made it clear that the law had Constitutional deficiencies. 

States often are heralded as incubators of our nation’s privacy laws, but in Maine, the “baby” may not be exactly what the parents expected.

• Email This
• Print

Within four days of each other, courts in D.C. and New York issued opinions setting forth the standard necessary to compel the discovery of the identity of anonymous speakers in cases in which the plaintiffs alleged that the anonymous speech defamed them. While they considered identical issues, the courts came to different conclusions regarding the strength of a plaintiff’s case required to unmask an anonymous speaker.

 In the New York case, an anonymous blog entitled “Skanks of NYC” posted suggestive pictures of Manhattan-based model Liskula Cohen with captions using the words “skank,” “skanky,” “ho,” and “whoring.” Cohen wanted to sue for defamation, and requested that the blog’s owner, Google, provide the blogger’s identity. When Google refused, Cohen sued to compel it to release the identity so she could proceed with her suit.

On August 17, in Cohen v. Google, New York trial judge Joan Madden granted Cohen’s motion, citing precedent stating that a petition for pre-trial discovery is warranted when “the petitioner demonstrates that he or she has a meritorious cause of action and that the information sought is material and necessary to the actionable wrong.” Noting that the use of the disparaging terms in context with the suggestive images carried “a negative implication of sexual promiscuity,” Madden held that the blog was “reasonably susceptible of a defamatory connotation” and thus was actionable. Since Cohen could not sue for defamation without the blogger’s identity, Madden deemed the identity “material and necessary to the actionable wrong” and ordered Google to disclose it. (The blogger turned out to be an acquaintance of Cohen’s whom Cohen reportedly disparaged to her ex-boyfriend, and is now planning to sue Google for revealing her identity. After determining the acquaintence’s identity, Cohen dropped her lawsuit.)

• Email This
• Print

The U.S. Court of Appeals for the Ninth Circuit held on August 6, 2009 that standing for private plaintiffs under the CAN-SPAM Act is limited.  Judge Richard Tallman, who authored the court's opinion in Gordon v. Virtumundo, Inc., No. 07-35487 (Aug. 6, 2009, 9th Cir.), noted that this was the first case in which the Ninth Circuit had attempted to comprehensively address the standing requirements under CAN-SPAM. 

The plaintiff, James S. Gordon, operated a website through which he provided email addresses for himself and friends and family members.  He intentionally registered these email addresses with 100-150 email mailing lists.  After the addresses began receiving commercial email, Gordon filed suit against many of the companies, including Virtumundo, Inc., that had sent such email.

The CAN-SPAM Act is primarily enforced by the Federal Trade Commission and state Attorneys General.  However, the Act does provide a private right of action for a "provider of Internet access service adversely affected by a violation."  The Ninth Circuit held that Gordon failed to satisfy either prong of this standing requirement. 

In addressing the service provider prong of the standing requirement, the court noted that the CAN-SPAM Act does not limit standing to traditional Internet service providers and cited to two lower court decisions that held that the social networking services MySpace and Facebook qualified as "access services."  While explicitly declining the opportunity to set forth a general test as to what it means to be "a provider of Internet access service ," the court found that Gordon's service was limited to setting up email accounts and passwords and executing other administrative tasks, which was not enough to raise him to the level of Internet access service provider within the meaning of CAN-SPAM.  Gordon's online access was provide by Verizon, and GoDaddy provided the service that enabled Gordon to create the email addresses and the personalized web site; according to the court, both of these entities could have a compelling argument that they are Internet access service providers.

As for the second prong of the standing requirement, CAN-SPAM itself does not define "adversely affected."  The Ninth Circuit noted that "the harm must be both real and of the type experienced by ISPs."  Where there is suspicion that "a plaintiff is not operating a bona fide Internet access service," courts should take an especially close look at the cited harms.  The court found that Gordon had failed to argue that he had suffered any real harm as contemplated by the CAN-SPAM Act.  He did not have to hire additional personnel, nor did he experience the technical concerns or costs that may be attributed to commercial email.  Rather, the court found that Gordon intentionally sought out and benefited financially from the burdens of which he later complained and could not be considered "adversely affected."

Finally, the court also held that Gordon's state law claims regarding allegedly misrepresented email header information were preempted by CAN-SPAM.  The court held that Gordon's claim that the "from lines" of the emails failed to clearly identify Virtumundo as the sender, did not rise to the level of "falsity or deception," the only type of state law commercial email claim excepted from CAN-SPAM preemption.

Gordon's claims were therefore denied on three counts:  (1) he was not an Internet access service provider; (2) he was not adversely affected; and (3) his state law claims were preempted by CAN-SPAM.  Three strikes and this plaintiff is out.

• Email This
• Print