Acquisitions Don't Nullify Prior Privacy Promises--FTC's Letter to Facebook & WhatsApp Gives Caution to All to Honor Privacy Protections in Mergers

Social networking site Facebook announced in February its plans to acquire WhatsApp—a “rapidly growing cross-platform mobile messaging company”—for the princely sum of $19 billion. While Facebook and WhatsApp are looking forward to a bright future together, the Federal Trade Commission is keeping a watchful eye on both companies regarding the privacy protections that WhatsApp promised its users in the past.
 
On April 10, 2014, the Director of the FTC’s Bureau of Consumer Protection Jessica Rich wrote executives at Facebook and WhatsApp and made clear that both companies must continue to honor WhatsApp’s prior policies and statements against collecting and sharing user data with advertisers—policies that, as Director Rich notes, exceed Facebook’s current privacy protections for its users. 
 
Continue Reading...

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
 
Continue Reading...

New Advisory on Joint FTC/DOJ Statement Encouraging Private Sharing of Cybersecurity Information

Be sure to check out our new advisory examining the joint policy statement that the Federal Trade Commission and Department of Justice issued to facilitate companies’ sharing of cybersecurity information.  The policy statement seeks to reduce uncertainty under antitrust laws for companies wishing to share strategies for preventing and combating cyber-attacks, by stating the agencies’ analytical framework for such information sharing under their longstanding Antitrust Guidelines for Collaborations Among Competitors.  As explained in the advisory, the new policy statement should be helpful as far as it goes, but companies should still proceed cautiously so as not to stray into the area of prohibited concerted activity, and should keep in mind that the new statement does not reduce potential liability under electronic privacy laws for the disclosure of communications or personal information related to cyber threats.  You can read the advisory here.

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

 
In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.
 
Continue Reading...

OCR Releases Information on What Phase 2 HIPAA Audits Will Look Like

By Adam H. Greene

The new audits will look little like the old ones, with OCR conducting the audits itself and focusing on more high-risk areas, abandoning on-site visits, and potentially integrating audits into OCR's formal enforcement program.  To prepare, we suggest that covered entities and business associates consider the following steps:  

CONTINUE READING ...

Tags:

EU High Court Overturns Telecom Data Retention Requirements

 
The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.
 
Continue Reading...

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security


In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).
 
Continue Reading...

Social Networking for Jerks: FTC Goes After Site for Scraping Facebook Content

 
In the 1979 Carl Reiner film The Jerk, a new phonebook is delivered and Steve Martin, playing the title character, rejoices that “I'm somebody now! Millions of people look at this book every day! This is the kind of spontaneous publicity - your name in print - that makes people. I'm in print! Things are going to start happening to me now.”
 
As we all know, a quarter-century later, things have changed. Getting one’s name publicized takes only a few seconds—if not to millions of people, at least to whomever we’re connected on social media. But, according to the Federal Trade Commission, jerks still abound.
 
Continue Reading...

Updated Location Privacy Protection Act Introduced

 
On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.
 
Continue Reading...

Google "Street View" case may be headed for SCOTUS Review

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014.
 
Continue Reading...

Caution: Your Company's Biggest Privacy Threat is...the FTC

By Sanjay Nangia

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.
 
Continue Reading...

Eleventh Circuit Adopts Seventh Circuit Jurisprudence Imposing Strict TCPA Liability on Autodialed and Prerecorded Calls and Texts

By Ronald G. London

The United States Court of Appeals for the Eleventh Circuit issued a decision in Osorio v. State Farm Bank aligning that court with the Seventh Circuit on how Telephone Consumer Protection Act (TCPA) restrictions on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls. 

As reported in Spring 2012, the Seventh Circuit case of Soppet v. Enhanced Recovery held that, where a company gets prior express consent to prerecorded-call and/or to auto-dial or auto-text a cell phone, as the TCPA requires, the caller can still be liable, if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent.  This ups the ante considerably for companies who use automated dialing systems to reach customers, as does the new Eleventh Circuit Osorio decision, which holds, relying on Soppet, that “the consent must come from the current subscriber.”  Osorio is as concerning as Soppet given that TCPA limits on calls to cells encompass autodialed live-agent calls, prerecorded calls, and texts via autodialer, all without regard to the content of a call – i.e., whether it is marketing, or only for customer-care, debt-collection, or other informational purposes.

Continue Reading...

New Advisory on FCC TCPA Declaratory Rulings

Be sure to check out our recent advisory discussing two new Federal Communications Commission (FCC) declaratory rulings that involve communicating with cell phones via autodialed calls and texts, and by prerecorded call.  The rulings respectively allow the consent necessary for such calls to come from intermediaries for text-based social networks, and for package-delivery services to rely on assurances by package sender that addressees consent to autodialed/prerecorded calls/texts with delivery information.  Along the way, the FCC makes several broad and business-friendly statements that should help clarify current uncertainty surrounding the TCPA, and hopefully serve as a defense for some in what has become a booming TCPA class action practice.  You can access the advisory here.

Thank You Commissioner O'Rielly - FCC Acknowledgment of TCPA Confusion is Long Overdue

But One Vote is Not Enough for Action, Nor Does Action Assure a Favorable Outcome

FCC Commissioner Michael O’Rielly recently blogged that “It is Time to Provide Clarity” on issues swirling around application of the Telephone Consumer Protection Act (TCPA).  To this we say, “Hear, Hear!”

Continue Reading...

No Harm, Still Foul? Florida Court Approves Data-Breach Class Action Settlement

 
Data-breach class action suits may have just gained significant traction. On Feb. 28, 2014, the U.S. District Court for the Southern District of Florida approved a first of its kind class action data breach settlement that will pay plaintiffs regardless of whether they were damaged by the breach.
 
Continue Reading...