Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Texting Absent Consent Now Subject Not Only to FCC Fines and Private Damage Claims, But FTC Enforcement As Well?

By Ronald G. London

The Federal Trade Commission (FTC) has settled an enforcement action with the sender of “loan mod” text messages and emails that, while unremarkable in alleging the contents were deceptive, is notable for treating the mere sending of unsolicited text messages as sufficient to trigger FTC authority to punish unfair and deceptive acts, practices, and methods of competition. The FTC action against the texts also is significant because text-message violations generally fall within the bailiwick of the Federal Communications Commission (FCC)—not the FTC—and laws and rules governing automated/prerecorded calls to cell phones. Under those rules, regardless of a text message’s content, prior express consent is required before sending. The FTC’s current action suggests it is reserving the right to pile on as well, if those rules are not followed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert (Bob) Stankey and Adam Shoemaker

On Sept. 14, 2011, the European Union’s Article 29 Data Protection Working Party warned that an industry-sponsored online behavioral advertising (OBA) framework will not satisfy the requirements of new EU data privacy laws. The OBA framework, which was discussed in a Sept. 21, 2011 webinar by DWT attorneys Bob Stankey and Adam Shoemaker, is designed to provide website users with notice that behavioral advertising is being used, and to give them the opportunity to opt in or out of the cookies that these programs deploy. In its current form, the OBA system is manifested through a distinctive icon at the corner of web-based advertisements. Clicking on this icon permits the user to learn more about the advertising system and provides an opportunity to reject cookies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The recent Federal Trade Commission (FTC) proposal to update its Children's Online Privacy Protection Rule (COPPA Rule) has hit the Federal Register.  As discussed in our advisory issued when the rule came out, which can be found here, this is the first time in the decade-plus history of the Rule that the FTC has proposed amendments.  The FTC seeks to update the rule to account for changes in technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.

Insofar as COPPA is designed to provide notice to parents and secure their verifiable consent prior to online collection and use of personal information from children under the age of 13, the changes could require significant operational changes for websites covered by the Rule.  Perhaps more importantly, COPPA is seen by some as a model for more general, farther-reaching regulation of uses of personal information, as we describe here.  Consequently, changes to the COPPA Rule to address many of the same technologies and practices that are at the center of privacy debates generally may resonate therein.  The FTC's proceeding is thus one that bears close attention.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. Court of Appeals for the Sixth Circuit recently issued a decision in Charvat v. NMP, LLC that addressed significant issues pertaining to federal court jurisdiction and statutory damages for telemarketing litigation arising under the Telephone Protection Act (TCPA). The decision is significant because it widens the split in the federal appeals courts on whether claims under the TCPA, which provides consumers private rights of action, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.It also is significant because, insofar as the TCPA provides for statutory damages of $500 per violation, trebled for “willful” violations, the Court allows that amount to be multiplied in some circumstances if several violations occur on a single call.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

By Robert (Bob) Stankey and Adam Shoemaker

On August 24, 2011, in accordance with the EU’s recent revisions to the 2002 e-Privacy Directive, France implemented a law introducing new consent requirements for electronic cookies as well as disclosure and notification rules related to data breaches. The French ordinance complies with the revised e‑Privacy Directive by requiring user consent before websites can track visitors with cookies. However, it permits this consent to be obtained from the setting of parameters or other communication system preferences under the user’s control, which means that browser settings may be sufficient prior consent.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Adam H. Greene

On Sept. 12, 2011, HHS announced the appointment of Leon Rodriguez as the Director of the Office for Civil Rights, the agency responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. Mr. Rodriguez is coming from the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff. He has extensive experience as a prosecutor at Department of Justice, a defense attorney in private practice, and as the county attorney for Montgomery County, Maryland.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This posting has been modified as of Sept. 8, 2011. Audit contracts are now available here.

By Adam H. Greene

In July 2011, DWT issued an advisory on HHS’ recent awarding of a contract to KPMG to conduct HIPAA privacy and security audits, available here. Since that time, we have obtained copies of the audit contracts, available here, and heard from the HHS Office for Civil Rights, shedding some additional light on what covered entities can expect:

• Audits that uncover major violations may lead to formal enforcement;
• The audits will focus on general privacy and security compliance;
• The contractor is expected to precede site visits with advanced requests for documentation, thereby providing some level of advanced notice;
• Audit teams are expected to consist of three to five persons and site visits are expected to last two to five days; and
• Pilot testing of the audit protocol is likely to begin later this year and proceed through January 2012, with the full round of audits occurring through the remainder of the year.

• Email This
• Print
• Share Link