European Commission Releases Formal Proposal on Data Protection Reform
By Robert Stankey and Adam Shoemaker
On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.
Continue Reading...The U.S. Supreme Court has issued a decision in Mims v. Arrow Financial Services, LLC, resolving a split among federal appeals courts, by holding that claims under the Telephone Protection Act (TCPA), which provides consumers private rights of action for telemarketing violations, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.
Continue Reading...The FTC has reached a settlement with UPromise, Inc., a membership reward service aimed at helping save for college, to resolve charges that company allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. Under the settlement, UPromise must destroy all data it collected under the “Personalized Offers” feature of its “TubroSaver” toolbar, clearly disclose its data collection practices and obtain consent to collection of personal information from those using the toolbar before it is installed or re-enabled, and must further establish a comprehensive information security programing, requiring biennial independent security assessments, for the next 20 years.
Continue Reading...Also Reinforces That Telemarketing Sales Rule’s Caller ID Flexibility Only Goes So Far
The Federal Trade Commission (FTC) has announced a $500,000 settlement of a telemarketing enforcement action that it brought based on allegations that the telemarketer interfered with the right of consumers to be placed on companies’ internal do-not-call lists, and that it altered outgoing caller ID to inaccurately display the identity of the calling party. The enforcement action is a reminder that telemarketing customer service reps must be trained to be particularly sensitive to understanding – and effectuating – consumer requests to be added to a company’s do-not-call list, even they don’t request it in such specific terms.
Continue Reading...On Nov. 30, 2011, the U.S. Supreme Court held oral arguments in Federal Aviation Administration v. Cooper, No. 10-1024. At issue in the case is whether the plaintiff is entitled to damages under the Privacy Act of 1974 for emotional distress caused by the government’s disclosure of his HIV status, including “sleeplessness, loss of appetite, physical tension, agitation, isolation from friends and anxiety.”
Continue Reading...By Bob Scott
The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.
The FTC’s investigation stemmed from Facebook’s November 2009 modification of its privacy policy, which allowed certain user profile information to be seen by the public. Facebook also allowed some third party applications and advertisers to access personal user information. In simple terms, the FTC’s draft complaint alleged that Facebook’s privacy practices did not match its stated policies, so that Facebook users were not accurately and meaningfully informed about the extent to which personal information would be shared by Facebook with third parties. The FTC characterized the detailed allegations as deceptive and unfair acts and practices prohibited by Section 5 of the Federal Trade Commission Act.
Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done” to protect user’s information.
The terms of settlement include Facebook’s commitments to:
The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.
As an update to our advisory FTC Proposes First Modifications to Children's Online Privacy Protection Act (COPPA) Rules Since Original Adoption in 2000, we note the Federal Trade Commission (FTC) has announced it is extending the comment-filing deadline, until December 23, 2011. The prior deadline had been November 28, 2011. The rule update proceeding seeks to examine whether and what changes may be necessary to reflect the evolution of technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.
The operator of the Skid-e-Kids website, a self-described “Facebook and MySpace for kids,” has learned that it is not enough merely to have a privacy policy that requires parental consent prior to obtaining personal information online from children under the age of 13. Such website operators must actually abide by that policy as well. The Federal Trade Commission (FTC) reinforced that lesson via an enforcement action and settlement with the company this week.
Continue Reading...Nov. 10, 2011, 1:00pm: Enforcement Trends in Health Care with Adam Greene
Over the past couple of years, we have seen a significant increase in enforcement of health care privacy laws at both the federal and state level. On November 10th at 1:00 pm EST, Davis Wright Tremaine’s Adam Greene will be presenting on this topic on a webinar of the International Association of Privacy Professionals. More information, including registration, is available at https://www.privacyassociation.org/events_and_programs/web_conferences/.
By Bob Scott and Rob Morgan
The Electronic Privacy Information Center (“EPIC”) filed a complaint on October 28, 2011 with the Federal Trade Commission (“FTC”) urging the FTC to investigate whether Verizon Wireless has engaged in “unfair and deceptive trade practices” by changing some of its data collection and disclosure practices. The public interest group alleges that Verizon Wireless’s prior customer agreements said that the company would not collect or disclose to third parties (such as advertisers) location information and other data without first obtaining users’ affirmative consent, and claims that Verizon Wireless’s recent announcement that it will track and share this kind of data in anonymized form violated this promise to customers.
Continue Reading...Building on last summer’s orders in two separate cases (discussed here and here) announcing it will make “upward adjustments” to fines against repeat violators of the “junk fax” law and rules, the Federal Communications Commission has now issued a notice of apparent liability (NAL) expanding that approach to prerecorded call violations, which are regulated under the same law and rules. In proposing to fine Travel Club Marketing Inc. and related entities nearly $3 million, the FCC makes clear its intolerance for repeat offenders, particularly when they attempt to mislead the agency and consumers.
Continue Reading...Regular visitors to this site might want to also bookmark and/or regularly visit our newly launched PaymentLawAdvisor, which provides commentary and resources on the payment industry, and frequently addresses privacy and security issues as they relate to retail payments.
Presently, you can view PaymentLawAdvisor’s recent post about plans by Visa and MasterCard to push into the targeted ads and offers business. After a recent Wall Street Journal article (subscription required) discussed those plans and how they aspire to link vast amounts of payment card transaction data with other cardholder personal data (such as Internet browsing habits, social network websites, credit bureaus, insurance claims, and even DNA databanks), the companies faced scrutiny from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.), who sent them letters requesting more information about the privacy implications of their plans. As PaymentLawAdvisor explains, such marketing tactics require careful structuring in order to comply with consumer privacy protections under the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”).
In a departure from the recent trend of courts refusing to allow data breach claimants to seek mitigation damages, the First Circuit recently held in Anderson v. Hannaford Bros. Co. that credit and debit card payment processors may be held liable for mitigation damages in the wake of targeted card-number theft by a criminal enterprise. In Hannaford, the appeals court reversed a decision below that dismissed negligence and implied contract claims arising out of a 2007 breach of grocer Hannaford’s electronic payment processing system, which resulted in the theft of 4.2 million credit and debit card numbers. The First Circuit’s decision suggests credit and debit card payment processors may be at a higher risk than previously thought of facing viable class action claims in the wake of data breaches.
Continue Reading...By David M. Silverman
Two Congressmen have written a letter to the Federal Trade Commission (FTC) asking the FTC to investigate certain websites’ use of “supercookies” to track the activities of website visitors after they have left the website and without their knowledge. The letter, written by Congressmen Joe Barton (R-TX) and Ed Markey (D-MA), is based on an August Wall Street Journal article discussing their use. The cookies have become a key issue based on concerns they may be placed without knowledge of computer users and are practically invisible to them. Such so-called “supercookies” differ from traditional HTTP cookies that track user data in that they are small files hidden within Adobe Flash and elsewhere that remain on users’ computers even when browsing history and cache are cleared, and can be picked up even when browsing in “private browsing” mode.
On Sept. 19, 2011, the U.S. Department of Health and Human Services (HHS) announced recommendations from an internal Text4Health Task Force on ways in which HHS can best utilize text messaging to improve population health. One of the issues raised by the Task Force is the need for further research and guidance on the privacy and security of health text messaging.
Continue Reading...Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.