Over the next five years in the United States, thousands of drones are expected to be deployed for an array of commercial and governmental purposes. This prospect has captured the public’s imagination, and there are concerns about the privacy implications and whether new laws and regulations are needed. We here provide an overview of existing privacy requirements for Unmanned Aerial Systems (UAS) operating in the United States, describe new privacy proposals, and outline three scenarios that, depending on decisions by policymakers, could govern the privacy requirements for the commercial use of UAS for years to come.
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
The Hogan Lovells Telephone Consumer Protection Act (TCPA) Working Group has published an alert addressing recent TCPA litigation and regulatory compliance developments. The alert notes that the number of TCPA cases is increasing and summarizes recent decisions that provide guidance regarding what constitutes prior express consent for non-telemarketing calls under the TCPA and its regulations. The alert concludes with some regulatory compliance tips to help minimize risk.
The Department of Education recently released a fourteen-page guidance document that intensifies the pressure on school districts, schools, and higher education institutions to examine and confirm the sufficiency of the procedures they use when engaging a service provider to host or process student data. A recent Hogan Lovells Education and Privacy Alert analyzes this guidance, through which the department has put entities covered by student privacy laws on notice of its expectations regarding their responsibilities when entering into these arrangements. Service providers who store and process student data on behalf of school districts and schools should therefore carefully consider the guidance and how it may affect the market for their services and the contractual demands from their education customers.
A Telephone Consumer Protection Act (TCPA) case decided by the U.S. Court of Appeals for the D.C. Circuit has direct implications for all organizations that employ third-party providers to conduct their outbound calling and text messaging campaigns. It could also impact the extent to which courts will defer to the FCC’s guidance regarding the TCPA. In addition, on February 6, members of Hogan Lovells’ TCPA Practice will host a special webinar on recent TCPA developments and key compliance challenges for 2014.
Less than two months after the European Commission issued a report urging the Federal Trade Commission to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies — including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications — over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained a active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
On February 6, 2014, members of Hogan Lovells’ Telephone Consumer Privacy Act Practice will host a webinar on recent TCPA developments and key compliance challenges for 2014. Among the topics that will be covered are how the Federal Communications Commission will apply the new “prior express written consent” requirements; what constitutes an “automatic telephone dialing system”; and whether and how the TCPA applies to mobile offerings and other new technologies and services.
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.
The Federal Trade Commission (FTC) recently approved appropriately implemented “knowledge-based authentication” as a method for obtaining verifiable parental consent (VPC) under the Children’s Online Protection Act (COPPA). To be “appropriately implemented,” operators should assess whether any knowledge-based authentication technology:
•Generates “dynamic, multiple choice questions”;
•Asks “a reasonable number of questions with an adequate number of possible answers” to ensure that “the probability of correctly guessing the answer is low”; and
•Uses “questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.”
The FTC’s action provides online operators some welcome flexibility in implementing COPPA-compliant VPC strategies and demonstrates that the FTC will give serious consideration to VPC proposals.
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking.
On December 5, 2013, the FTC agreed to settle a complaint lodged against Goldenshores Technologies, LLC (Goldenshores) alleging that the company deceived users by misrepresenting its practices when collecting and sharing the personal data of users through its popular Brightest Flashlight Free mobile application. The original complaint and proposed settlement, adopted 4-0 by FTC vote, each provide insight into the agency’s evolving expectations of how a company should provide notice to users about its data collection and use practices.
The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue.
With the new year fast approaching, the Federal Trade Commission and the National Telecommunications & Information Administration, a bureau within the Department of Commerce, recently announced a number of privacy initiatives for 2014 that will break new ground for both agencies and will impact a wide array of industries.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
A new paper published by the Future of Privacy Forum examines the appropriate privacy paradigm for the world of the Internet of Things. The paper was co-authored by Hogan Lovells Privacy and Information Management practice leader Christopher Wolf who also is the founder and co-chair of the Future of Privacy Forum (with co-author Jules Polonetsky). The [...]
On November 19, 2013 the Federal Trade Commission will hold its first ever workshop on the Internet of Things. The Workshop does not aim to debate regulation or codes of conduct, but is rather a fact finding mission aimed at uncovering the privacy and security concerns inherent in the Internet of Things, where a range of devices collect and communicate personal information perpetually.
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (“Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests, which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
Last month, the FTC announced its settlement with technology company TRENDNet over charges that the company’s lax security practices led to the public exposure of private video feeds. TRENDNet manufactures a range of networking hardware, including Internet-accessible surveillance cameras. According to the FTC complaint, some of the feeds from these cameras were disclosed online without authorization. Under the terms of the settlement, TRENDNet is enjoined from misrepresenting the security and privacy features of its Internet-accessible products and their associated apps, and the company must establish a comprehensive security program subject to biennial third-party assessments. The FTC describes this settlement as the conclusion of the agency’s first enforcement action “against a marketer of an everyday product with interconnectivity to the Internet” – also known as the “Internet of Things.” Our post addresses what insights the settlement provides regarding the FTC’s current approach to enforcing security standards and indicates that the FTC may be broadening its characterization of sensitive data.
On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.