On December 3, 2014, the Federal Trade Commission announced two administrative settlements with a medical Billing Provider, PaymentsMD, LLC, and its former CEO, Michael Hughes, for allegedly misleading thousands of consumers who signed up for an online billing portal by failing to adequately disclose that the company would seek detailed medical information from pharmacies, medical labs, and insurance companies. The FTC’s enforcement of Section 5 does not extend to businesses or organizations covered by the Health Insurance Portability and Accountability Act.
This Wednesday December 3rd, Hogan Lovells partner Christopher Wolf will be moderating a panel hosted by the Future of Privacy Forum and the International Association of Privacy Professionals entitled: “Device encryption: Too Much Privacy for Consumers?” The panel is free and open to the public.
The Alliance of Automobile Manufacturers and the Association of Global Automakers, the two leading trade associations for vehicle manufacturers, today unveiled a set of baseline protections for consumer’s personal information in the era of connected cars. The Privacy Principles for Vehicle Technologies and Services commit participating automakers to take important steps to protect the personal information retrieved from vehicles. Hogan Lovells was engaged by the Alliance to lead drafting of the Principles and a team led by Chris Wolf and including Tim Tobin and James Denvil worked on the project.
It should be standard practice for companies to review the transparency of material disclaimers and disclosures in their advertising before every ad campaign. However, some companies tend to pack material disclosures into fine print or otherwise minimize their significance. The Federal Trade Commission recently signaled to companies that it is paying attention to print and television ad disclosures. This follows the FTC’s renewed attention to online advertising as addressed last year in its updated .com Disclosures guidance for digital advertising
The Federal Communications Commission recently issued a Notice of Apparent Liability for Forfeiture proposing a $10 million penalty against TerraCom, Inc. and YourTel America, Inc. (collectively, the “companies”) for allegedly violating laws protecting consumers’ personal information. Specifically, the FCC alleged that the companies placed the personal data of up to 300,000 consumers at risk by storing Social Security numbers, names, addresses, driver’s licenses, and other proprietary information on unprotected Internet servers that “anyone in the world could access.” The decision is the FCC’s first case involving data security. It is also informative as to the FCC’s current and evolving expectations with regard to carriers’ duties to protect sensitive consumer information, and it underscores the need for organizations in the communications sector to keep a close eye on both FCC and Federal Trade Commission data privacy and security enforcement activity.
The Federal Trade Commission recently submitted comments to the Federal Communications Commission in which it reminded broadband Internet service providers that they are subject to several data privacy and security laws enforced by the FTC. The FTC’s comments underscore why broadband providers – as well as their vendors and business partners – must keep a close watch on both FCC and FTC developments in the privacy and security space.
Writing for Expert Guide: Competition and Antitrust Law, Hogan Lovells attorneys Dean Hansell and Charles Dickinson discuss the FTC’s current consumer protection initiatives and identify emerging areas of focus of the agency’s regulatory initiatives. Hansell and Dickinson also expect that the FTC may be “more willing to push enforcement initiatives” with its current roster of Commissioners and offer that “companies of all sizes would be well-served to understand how their businesses might fall under the FTC’s radar.”
Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015.
Writing for the New York Times “Room for Debate,” Christopher Wolf, Hogan Lovells partner and co-director of the firm’s global Privacy and Information Management group, focuses on the potential positive uses for Big Data, observing that “Big Data can also advance the interests of minorities and actually fight discrimination.” Wolf cites examples such as Entelo Diversity, an employee recruiting platform that promises to diversify workplaces by using powerful algorithms to analyze public data and find qualified candidates who are also members of underrepresented classes.
On May 27, the Federal Trade Commission issued a report on the data broker industry that found data brokers operate with a ”fundamental lack of transparency.” The commission unanimously recommended that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them that are collected and shared by data brokers. Not well-recognized at the time were a number of concerns, mini-dissents if you will, expressed by Federal Trade Commissioner Josh Wright. I recently asked Commissioner Wright some questions about his “dissent by footnotes.”
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data, the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. This blog post summarizes the results of the CNIL workshop.
Today, the Federal Trade Commission released Data Brokers: A Call for Transparency and Accountability. The report is an in-depth look at issues posed by the collection and dissemination of consumer information by the data broker industry and its findings will likely be used by both sides in the debate over data broker legislation and guide future FTC regulatory and enforcement activities in this space.
On May 7, 2014, the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.
On May 1, the Presidential Council of Advisors on Science and Technology released Big Data: A Technological Perspective. The report is billed as a technical accompaniment to the 90-day Big Data review performed by Presidential Counselor John Podesta and addresses “the nature of current technologies for managing and analyzing big data and for preserving privacy” and the evolving nature of those technologies. While the PCAST report, released to coincide with Counselor Podesta’s review, has received less media attention than the Podesta report, its findings may influence the Administration’s information-governance expectations of businesses.
As part of its 2014 Spring Privacy Series, the Federal Trade Commission in March held a seminar to examine alternative scoring products and the possible benefits and risks of their growing use. During the seminar, FTC attorneys Katherine Armstrong and Andrea Arias of the Division of Privacy and Identity Protection moderated a panel discussion between various stakeholders that included public interest groups, the data industry, and academics.
Over the next five years in the United States, thousands of drones are expected to be deployed for an array of commercial and governmental purposes. This prospect has captured the public’s imagination, and there are concerns about the privacy implications and whether new laws and regulations are needed. We here provide an overview of existing privacy requirements for Unmanned Aerial Systems (UAS) operating in the United States, describe new privacy proposals, and outline three scenarios that, depending on decisions by policymakers, could govern the privacy requirements for the commercial use of UAS for years to come.
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
The Hogan Lovells Telephone Consumer Protection Act (TCPA) Working Group has published an alert addressing recent TCPA litigation and regulatory compliance developments. The alert notes that the number of TCPA cases is increasing and summarizes recent decisions that provide guidance regarding what constitutes prior express consent for non-telemarketing calls under the TCPA and its regulations. The alert concludes with some regulatory compliance tips to help minimize risk.
The Department of Education recently released a fourteen-page guidance document that intensifies the pressure on school districts, schools, and higher education institutions to examine and confirm the sufficiency of the procedures they use when engaging a service provider to host or process student data. A recent Hogan Lovells Education and Privacy Alert analyzes this guidance, through which the department has put entities covered by student privacy laws on notice of its expectations regarding their responsibilities when entering into these arrangements. Service providers who store and process student data on behalf of school districts and schools should therefore carefully consider the guidance and how it may affect the market for their services and the contractual demands from their education customers.
A Telephone Consumer Protection Act (TCPA) case decided by the U.S. Court of Appeals for the D.C. Circuit has direct implications for all organizations that employ third-party providers to conduct their outbound calling and text messaging campaigns. It could also impact the extent to which courts will defer to the FCC’s guidance regarding the TCPA. In addition, on February 6, members of Hogan Lovells’ TCPA Practice will host a special webinar on recent TCPA developments and key compliance challenges for 2014.
Less than two months after the European Commission issued a report urging the Federal Trade Commission to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies — including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications — over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained a active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
On February 6, 2014, members of Hogan Lovells’ Telephone Consumer Privacy Act Practice will host a webinar on recent TCPA developments and key compliance challenges for 2014. Among the topics that will be covered are how the Federal Communications Commission will apply the new “prior express written consent” requirements; what constitutes an “automatic telephone dialing system”; and whether and how the TCPA applies to mobile offerings and other new technologies and services.
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.