A Telephone Consumer Protection Act (TCPA) case decided by the U.S. Court of Appeals for the D.C. Circuit has direct implications for all organizations that employ third-party providers to conduct their outbound calling and text messaging campaigns. It could also impact the extent to which courts will defer to the FCC’s guidance regarding the TCPA. In addition, on February 6, members of Hogan Lovells’ TCPA Practice will host a special webinar on recent TCPA developments and key compliance challenges for 2014.
Less than two months after the European Commission issued a report urging the Federal Trade Commission to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies — including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications — over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained a active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
On February 6, 2014, members of Hogan Lovells’ Telephone Consumer Privacy Act Practice will host a webinar on recent TCPA developments and key compliance challenges for 2014. Among the topics that will be covered are how the Federal Communications Commission will apply the new “prior express written consent” requirements; what constitutes an “automatic telephone dialing system”; and whether and how the TCPA applies to mobile offerings and other new technologies and services.
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking.
On December 5, 2013, the FTC agreed to settle a complaint lodged against Goldenshores Technologies, LLC (Goldenshores) alleging that the company deceived users by misrepresenting its practices when collecting and sharing the personal data of users through its popular Brightest Flashlight Free mobile application. The original complaint and proposed settlement, adopted 4-0 by FTC vote, each provide insight into the agency’s evolving expectations of how a company should provide notice to users about its data collection and use practices.
The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue.
With the new year fast approaching, the Federal Trade Commission and the National Telecommunications & Information Administration, a bureau within the Department of Commerce, recently announced a number of privacy initiatives for 2014 that will break new ground for both agencies and will impact a wide array of industries.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
A new paper published by the Future of Privacy Forum examines the appropriate privacy paradigm for the world of the Internet of Things. The paper was co-authored by Hogan Lovells Privacy and Information Management practice leader Christopher Wolf who also is the founder and co-chair of the Future of Privacy Forum (with co-author Jules Polonetsky). The [...]
On November 19, 2013 the Federal Trade Commission will hold its first ever workshop on the Internet of Things. The Workshop does not aim to debate regulation or codes of conduct, but is rather a fact finding mission aimed at uncovering the privacy and security concerns inherent in the Internet of Things, where a range of devices collect and communicate personal information perpetually.
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (“Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests, which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
Last month, the FTC announced its settlement with technology company TRENDNet over charges that the company’s lax security practices led to the public exposure of private video feeds. TRENDNet manufactures a range of networking hardware, including Internet-accessible surveillance cameras. According to the FTC complaint, some of the feeds from these cameras were disclosed online without authorization. Under the terms of the settlement, TRENDNet is enjoined from misrepresenting the security and privacy features of its Internet-accessible products and their associated apps, and the company must establish a comprehensive security program subject to biennial third-party assessments. The FTC describes this settlement as the conclusion of the agency’s first enforcement action “against a marketer of an everyday product with interconnectivity to the Internet” – also known as the “Internet of Things.” Our post addresses what insights the settlement provides regarding the FTC’s current approach to enforcing security standards and indicates that the FTC may be broadening its characterization of sensitive data.
On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
On Wednesday, Harriet Pearson, a partner in Hogan Lovells’ Privacy and Information Management Practice, appeared on the Cyberlaw and Business Report Internet radio show to discuss newly enacted California privacy laws. This blog post contains a link to the interview and a downloadable podcast.
At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. This post contains prepared remarks to the commissioner’s on the need for interoperable cross-border privacy standards and the merits of the U.S. privacy regime.
With the focus this summer on nation-states’ collection of electronic data, an important question went unanswered – what rights do individuals have to challenge government access to their data? We set out to answer that question in the fourth installment in Hogan Lovells’ White Paper series examining government access to data held by service providers. In the White Paper, available through this blog post, we compared the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia, concluding that of the countries surveyed, the right of redress appears strongest in the United States.