The July 1, 2013, deadline for complying with the Federal Trade Commission’s (FTC) updated regulations implementing its Children’s Online Privacy Protection Act (COPPA Rule) is around the corner, as discussed in our post here on the FTC’s denial of additional time and its revised “Frequently Asked Questions” to guide compliance efforts. Our earlier advisory provides details on, e.g., the expansion of data collection activities covered by COPPA, including through persistent identifiers, new types of personal information whose collection will trigger the rule, clarification of how to obtain parental consent, refinements on what the Commission will deem to be a “child-directed” site covered by COPPA, and more. The FTC’s COPPA Rule amendments are the first update to capture technological developments and evolving popular online practices – primarily social networking, smartphone Internet access, and the ability to use geolocation information – that arose after the law was enacted.
By: Adam H. Greene
In January 2013, The U.S. Department of Health and Human Services released the HIPAA Omnibus Rule in the Federal Register, the most significant changes to the HIPAA regulations since they were first promulgated. These changes, however, are not yet reflected in the Code of Federal Regulations. For those of you who have been jumping back and forth between the prior codifications of the HIPAA regulations and the more recent HIPAA Omnibus Rule, there is good news. HHS has released an updated version of the HIPAA regulations, which incorporates the recent changes from the Omnibus Rule. The updated regulations are available here, which is the “unofficial version.” The official version will not be available until title 45 of the Code of Federal Regulations is updated, likely in October.
Federal Cybersecurity Initiatives Demand Vigilance of Communication and Energy Infrastructure Owners and Operators
Cybersecurity initiatives are moving rapidly within the federal government and require owners and operators of critical infrastructure – including in particular Communication and Energy Systems, and those who supply and service them – to remain vigilant in managing cybersecurity risks. The National Institute of Standards and Technologies (NIST) is moving quickly to develop the Cybersecurity Framework required by President Obama’s Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21), as detailed in our earlier posts here and here. At the same time, Congress continues to develop cybersecurity legislation to address concerns over the current state of cybersecurity and cyber-threat information-sharing in various sectors of the economy. Chief among these sectors are energy and communications, which are deemed “uniquely critical” in PPD-21 given their role in supporting all other critical infrastructure.Continue Reading...
By: Ronald G. London
The Federal Communications Commission (FCC) has issued a long-awaited declaratory ruling governing when a company is liable under the Telephone Consumer Protection Act (TCPA), and FCC telemarketing and autodialing rules, for violations committed by a third party that the company authorizes to sell its goods or services but does not directly ask or otherwise engage to telemarket, by holding that the company may be vicariously liable under federal common law principles of agency for TCPA violations that the third party commits.Continue Reading...
Industry Must Comply by July 1, 2013, Can Look to Expanded FAQs for Guidance on Updated Rules for Information Collection and Disclosure, Parental Notice, and Requirements for Mobile Apps
By: Ronald G. London
The FTC has voted to retain the July 1, 2013 effective date for the revisions to its Children’s Online Privacy Protection Act (COPPA Rule), shortly after issuing revised “Frequently Asked Questions” (FAQs) to aid compliance efforts. The FAQs are a key interpretive resource, because there are few enforcement orders – and no real court precedents – that apply COPPA.
This post highlights some key clarifications and a few areas of uncertainty that remain in the FAQs, as a companion to our earlier advisory on the COPPA Rule revisions. Among other points, we explore guidance provided by the FTC staff in the FAQs regarding:
- How websites and online services subject to COPPA can handle newly added categories of personal information.
- The relationship between websites and online services subject to COPPA and third parties that collect personal information through such sites or services.
- The applicability of COPPA to mobile apps and some of the steps app developers/operators must take toward compliance.
- Additional detail on providing parental notice as streamlined by the COPPA Rule revisions.
- Steps required before children’s personal information may be disclosed to third parties.
On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.
The presentation focused primarily on two topics:
- Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
- Update on Mobile Regulatory Issues
To view the full presentation, click here.
By Dan Reing
On April 3, 2013, the National Institute for Standards and Technology (“NIST”) hosted its first of four planned Cybersecurity Framework Workshops on April 3, 2013 at the Department of Commerce consisting of five panel discussions among a variety of private and public stakeholders affected by the Executive Order on “Improving Critical Infrastructure Cybersecurity” (“EO”) issued February 13, 2013. As we previously discussed, the EO set in motion a process to develop and implement a national, voluntary Cybersecurity Standards Framework aimed at protecting the nation’s critical infrastructure and the provision of essential services to the American people. The EO tasked NIST with drafting the Cybersecurity Framework, and on February 24, 2013, it issued a Request For Information (“RFI”) seeking public comment on issues the Cybersecurity Framework should address. The RFI comment period closes on April 8, 2013.Continue Reading...
By Brad Guyton
Updating our entry on this issue posted during the last Congress, on March 21, 2013, lawmakers in the House and Senate reintroduced companion bills intended to curb government use of mobile users’ geolocation data. The reintroduced Geolocation Privacy and Surveillance Act is nearly identical to legislation introduced nearly two years ago, as described in our prior post. However, unlike two years ago, the bills are not accompanied by companion legislation requiring users’ permission for industry to share geolocation data, as was the case previously with the Location Privacy Protection Act of 2011.
The newly reintroduced Geolocation Privacy and Surveillance Act, sponsored again in the Senate by Sen. Ron Wyden (D-Or.) and in the House by Rep. Jason Chaffetz (R-Utah), would require the government and law enforcement agencies to obtain a warrant before accessing a person’s geolocation data, i.e., GPS information logged through Wi-fi networks and cellular towers. The legislation is modeled after existing wiretapping and electronic surveillance laws and would add to Title 18 of the U.S. Code a new chapter 120 entitled “Protection of Geolocation Information.”
Several exceptions would apply, including those for emergency responders, parents of minors, and intelligence investigations under the Patriot Act. In addition, the bill specifies that the Foreign Intelligence Surveillance Act and this legislation, if adopted, would be the only means by which geolocation information could be lawfully obtained by the government. The bills are expected to be referred to the Judiciary Committees in both chambers, neither of which acted on versions introduced in the previous Congress.
Last week, in In re National Security Letter, the United States District Court for the Northern District of California found unconstitutional two sections of the federal law allowing the FBI to issue “National Security Letters” (“NSLs”) to secretly demand subscriber records from ISPs, telecom carriers and other electronic service providers when investigating international terrorism or conducting clandestine intelligence activities. An as-yet-unnamed telecommunications provider challenged the federal law and United States District Judge Susan Illston ordered the federal government to cease issuing NSLs and stop enforcing NSL gag orders, but stayed the order pending an expected appeal by the government to the Ninth Circuit.Continue Reading...
By: Ronald G. London
The Federal Trade Commission (FTC) recently announced it concurrently filed eight complaints in courts around the United States against “senders of spam text messages” who allegedly engaged in deceptive acts or practices by promoting supposedly free gift cards. The complaints constitute what the FTC called a “crackdown” on affiliate marketers who allegedly “bombard consumers with hundreds of millions of unwanted spam text[s],” in order to steer them to allegedly deceptive websites promoting the cards.
While the conduct alleged by the FTC details the kind of gambit that often draws the agency’s wrath, the cases are also notable because they allege that merely sending unsolicited commercial texts can be an “unfair practice” under the Federal Trade Commission Act. As texting is already heavily regulated by the Federal Communications Commission (FCC) under the Telephone Consumer Protection Act (TCPA), which also allows private causes of action, including class actions, the FTC’s apparent position seems to up the ante for senders of commercial texts.
Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.Continue Reading...
On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure. The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.Continue Reading...
The FTC and California's Attorney General Recommend Detailed New Privacy Practices and Disclosures for Entities Operating in the Mobile Environment
Be sure to spend some time with our recent advisory analyzing two important privacy developments affecting the mobile ecosystem. Our advisory focuses on the Federal Trade Commission Staff Report and the California Attorney General’s recent release of detailed recommendations and best practices for providers of mobile platforms, apps, ad networks, and their trade associations. Building on a series of recent actions emphasizing specific privacy concerns in the mobile space, the FTC’s Staff Report outlines recommendations to improve privacy disclosures and control at different levels of the mobile ecosystem. The California AG’s report addresses not just privacy disclosures, but recommends “best practices” for platforms, app developers, and ad networks that explicitly go beyond existing law. You can access the advisory here.
Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register. The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits. It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA). The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA. You can access the advisory here.
Be sure to check out our recent advisory examining the extensive changes the Federal Trade Commission (FTC) made to its regulations implementing the Children’s Online Privacy Protection Act (COPPA Rule). The revisions update the Rule to cover technological developments and popular online practices such as social networking, smartphone Internet access, and the use of geolocation information. The advisory details how the FTC refined its definitions of “operator,” “personal information,” and “websites or online service directed to children,” and updated its requirements for providing notice and getting consent from parents, among many other changes the FTC described as seeking to “broaden and clarify” the Rule. The advisory, which also explores practical considerations arising from the updated regulations, can be accessed here.